VMware has released security updates to address a Critical OpenSLP remote code execution vulnerability (CVE-2019-5544) in ESXi and Horizon DaaS.
According to the VMware advisory VMSA-2019-0022, the heap overwrite issue impacts OpenSLP as used in ESXi and the Horizon DaaS appliances. VMware has assigned this Critical vulnerability a CVSSv3 severity score of 9.8.
“A malicious actor with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution,” VMware warned in the advisory.
VMware recommends administrators apply the necessary updates as soon as possible.