CVE-2019-5531
high-risk
Published 2019-09-18
VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
Do I need to act?
-
0.38% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Vsphere Esxi
Affected Vendors
50
/ 100
high-risk
Severity
21/34 · High
Exploitability
1/34 · Minimal
Exposure
28/34 · Critical