Security Advisory 2022-076

Release Date:

Critical Vulnerability in VMware Cloud Foundation



  • 31/10/2022 --- v1.0 -- Initial publication


On October 25, 2022, VMWare released a new version of Cloud Foundation (NSX-V) fixing a critical Remote Code Execution vulnerability [1]. VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products has been published [2]. It is highly recommended applying the last version.

Technical Details

The vulnerability, identified by CVE-2021-39144, with a CVSS score of 9.8 out of 10, is due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V). By exploiting this vulnerability, an unauthenticated attacker could achieve remote code execution in the context of the root user on the affected server.

Affected Products

  • All versions for VMware NSX Data Center for vSphere (NSX-V) prior to NSX-V 6.4.14 appliances [3]
  • All the VMware Cloud Foundation(VCF) 3.x versions


CERT-EU highly recommends applying the latest version or the workaround provided by VMWare.





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.