1. Impacted Products
VMware SD-WAN (Edge)
An Authentication Bypass Vulnerability affecting VMware SD-WAN was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
3. VMware SD-WAN Bypass Authentication Vulnerability (CVE-2023-20899)
Known Attack Vectors
A malicious actor with network access to the Edge Local Web UI can download an Edge Diagnostic bundle of the application without authentication. Local Web UI Access is disabled by default.
To remediate CVE-2023-20899 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.
By default access to the Edge local UI is disabled. VMware recommends leaving the Local Web UI disabled. Instructions on disabling the Local Web UI after it has been manually enabled can be found in the VMware SD-WAN Product Documentation. Following the Hardening Guidelines will prevent this vulnerability from being exploited. (Velocloud Security Hardening Guidelines)
This vulnerability affects Edge devices only and not the SD-WAN management console (VCO)
VMware would like to thank Marco Bruinenberg of Accenture for reporting this issue to us.
Fixed Version(s) and Release Notes:
VMware SD-WAN 4.5.2 Release Notes: https://docs.vmware.com/en/VMware-SASE/4.5.2/rn/vmware-sase-452-release-notes/index.html
Downloads and Documentation:
Mitre CVE Dictionary Links:
FIRST CVSSv3 Calculator:
5. Change Log
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2023 VMware Inc. All rights reserved.