This statement was updated on Dec. 21. Click here for the update.
Friday, December 18, 2020
To date, VMware has received no notification that the CVE 2020-4006 was used in conjunction with the SolarWinds supply chain compromise.
In addition, while we have identified limited instances of the vulnerable SolarWinds Orion software in our own internal environment, our own internal investigation has not revealed any indication of exploitation. This has also been confirmed by SolarWinds' own investigations to date.
VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment. VMware strongly encourages all customers to please visit VMSA-2020-0027 as the centralized source of information for CVE 2020-4006. Customers should also sign-up on our Security-Announce mailing list to receive new and updated VMware Security Advisories.
VMware remains committed to transparency and ensuring customer security is a top priority.