vmware security advisories
16 threat alerts tracking vulnerabilities and security advisories that affect vmware products.
Vulnios monitors vmware CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent vmware security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2016-7456 — vmware — vsphere_data_protection
VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.
criticalCVE-2016-7456Critical Vulnerability: CVE-2016-7460 — vmware — vrealize_automation
The Single Sign-On feature in VMware vCenter Server 5.5 before U3e and 6.0 before U2a and vRealize Automation 6.x before 6.2.5 allows remote attackers to read arbitrary files or cause a denial of serv
criticalCVE-2016-7460Critical Vulnerability: CVE-2016-7457 — vmware — vrealize_operations
VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors.
criticalCVE-2016-7457Critical Vulnerability: CVE-2016-5336 — vmware — vrealize_automation
VMware vRealize Automation 7.0.x before 7.1 allows remote attackers to execute arbitrary code via unspecified vectors.
criticalCVE-2016-5336Critical Vulnerability: CVE-2016-5333 — vmware — photon_os
VMware Photos OS OVA 1.0 before 2016-08-14 has a default SSH public key in an authorized_keys file, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
criticalCVE-2016-5333Critical Vulnerability: CVE-2026-40976 — vmware — spring_boot
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web applicat
criticalCVE-2026-40976Critical Vulnerability: CVE-2012-1516 — vmware — esx, esxi
The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process cra
criticalCVE-2012-1516Critical Vulnerability: CVE-2026-40982 — vmware — spring_cloud_config
Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially craf
criticalCVE-2026-40982Critical Vulnerability: CVE-2017-4919 — vmware — vcenter_server
VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, limited vSphere privileges to use the VIX API to access Guest Operating Systems without the need to authenticate.
criticalCVE-2017-4919Critical Vulnerability: CVE-2017-4923 — vmware — vcenter_server
VMware vCenter Server (6.5 prior to 6.5 U1) contains an information disclosure vulnerability. This issue may allow plaintext credentials to be obtained when using the vCenter Server Appliance file-bas
criticalCVE-2017-4923Critical Vulnerability: CVE-2017-4918 — vmware — horizon_view
VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains a command injection vulnerability in the service startup script. Successful exploitation of this issue may allow unprivileged user
criticalCVE-2017-4918Critical Vulnerability: CVE-2017-4914 — vmware — vsphere_data_protection
VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance.
criticalCVE-2017-4914Critical Vulnerability: CVE-2017-4907 — vmware — horizon_view, unified_access_gateway
VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attac
criticalCVE-2017-4907Critical Vulnerability: CVE-2017-4917 — vmware — vsphere_data_protection
VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x locally stores vCenter Server credentials using reversible encryption. This issue may allow plaintext credentials to be obtained.
criticalCVE-2017-4917Critical Vulnerability: CVE-2017-4901 — vmware — fusion, workstation
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 has an out-of-bounds memory access vulnerability. This may allow a guest to execut
criticalCVE-2017-4901Critical Vulnerability: CVE-2014-3527 — vmware — spring_security
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. Thi
criticalCVE-2014-3527
Track vmware exposure across your environment
Vulnios automatically cross-references your asset inventory against new vmware CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan