CVE-2023-20900: VMware Tools SAML Token Signature Bypass Vulnerability

A critical vulnerability has been found in VMware Tools, a set of services and modules that enable several features in VMware products for better management of, and seamless user interactions with, guests operating systems. Dubbed CVE-2023-20900, with a CVSS score of 7.5, it has captured the attention of the cyber community.

VMware Tools is not just a supplementary software package for VMware virtual machines. It plays a pivotal role in improving the interaction between the guest operating system and the hypervisor. This package offers a range of services, from enhancing graphics display to synchronizing the system’s time in virtual machines. In essence, VMware Tools is the bridge that seamlessly connects the guest OS with VMware products, facilitating better management and user experiences.


This newly disclosed flaw isn’t a trivial one; it directly concerns the SAML (Security Assertion Markup Language) token signature process, which is a cornerstone of secure identity provision in modern web services.

The vulnerability allows a malevolent actor, positioned in a man-in-the-middle (MITM) network setup between the vCenter server and a virtual machine, to dodge the SAML token signature verification. This means that the attacker could exploit this weakness to perform unauthorized VMware Tools Guest Operations.

CVE-2023-20900 was unearthed by the security researcher Peter Stöckli of GitHub Security Lab.

As with any vulnerability, it’s crucial to know whether your systems are susceptible. The affected versions of VMware Tools are:

  • For Windows: Versions 12.x.x, 11.x.x, and 10.3.x
  • For Linux: Version 10.3.x
  • For Linux (open-vm-tools): Versions 12.x.x, 11.x.x, and 10.3.x

However, VMware has acted swiftly. The versions that are patched and free from this vulnerability are:

  • For Windows: Version 12.3.0
  • For Linux: Version 10.3.26
  • For Linux (open-vm-tools): Version 12.3.0

The first line of defense? Update immediately! VMware has released updates to remediate this vulnerability in the affected products. Ensure you’re running on the unaffected versions. Regular patching is a staple of any good cybersecurity hygiene.