Vcloud Director vulnerability allows hacking networks of enterprises using VMware

A group of database activity monitoring specialists has revealed the finding of a critical vulnerability in Cloud Director, a cloud resource deployment, automation and management platform developed by VMware. Exploiting this vulnerability would allow threat actors to access sensitive information and control private configuration cloud deployments within a complete infrastructure.

The security report mentions that the vulnerability can be exploited through HTML5 and Flex-based user interfaces, the Explorer API interface, and the access API. The flaw can be found in versions 10.0.x earlier than, in 9.7.0.x earlier than and in 9.1.0.x earlier than   

Database activity monitoring specialists from Czech firm Citadelo discovered the vulnerability after a company (whose name was not revealed, but is known to be on the Fortune 500 list) to conduct a security audit on its cloud infrastructure. The cybersecurity firm also published a proof of concept to demonstrate the flaw’s exploitation.

“We discovered the flaw from a simple anomaly; when you enter ${7*7} as the host name for the SMTP server in vCloud Director, we sense an error: the string value is in an invalid format, indicating some form of expression language injection. We were able to evaluate simple server-side functions,” the Citadelo report says.  

According to the database activity monitoring experts, using this condition as an entry point, arbitrary Java classes (such as “”) can be accessed and instantiated when sending malicious payloads in vulnerable software. In their proof of concept, researchers were able to:

  • View the contents of the system database, including password hashes of the clients assigned to the deployment
  • Modify the system database to access virtual machines
  • Scale privileges from “Organization Administrator” to “System Administrator”
  • Modify the Cloud Director login page, allowing hackers to get other customers’ passwords
  • Access other sensitive customer-related data, such as full names, email addresses, or IP addresses

VMWare acknowledged the report and announced the release of the relevant fixes, which are already available. The company fixed the flaws in a number of updates covering versions,, and The company also published a workaround on its website.

For further reports on vulnerabilities, exploits, malware variants, and computer security risks, cybersecurity awareness experts recommend visiting the International Institute of Cyber Security (IICS) website, as well as official technology company platforms.