CVE-2023-34048

ENISA EUVD: EUVD-2023-38166 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 7 articles Published: 2023-10-25

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

93.21%

probability

This CVE has a 93.21% probability of being exploited in the next 30 days.

0% Top 99.8th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds write potentially leading to remote code execution.

Affected Products

VMware

VMware vCenter Server

8.0 7.0

VMware

VMware Cloud Foundation (VMware vCenter Server)

5.x 4.x

vmware

vcenter server

VMware

VMware Cloud Foundation (VMware vCenter Server)

4.x

VMware

VMware vCenter Server

8.0 <8.0U2

VMware

VMware vCenter Server

7.0 <7.0U3o

VMware

VMware Cloud Foundation (VMware vCenter Server)

5.x

Attack Intelligence

CWE-118 · Incorrect Access of Indexable Resource ('Range Error') CWE-119 · Buffer Overflow CWE-664 · Improper Control of a Resource Through its Lifetime CWE-787 · Out-of-bounds Write

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Signal Intelligence

Confidenceⓘ

92%

EPSS 93.21%

CVSS v3.1 9.8

Mentions 7

Last Seen May 08, 2025

CNA Information

CNA Assigner

vmware

CNA Title

VMware vCenter Server Out-of-Bounds Write Vulnerability

Analyst Note

CVE-2023-34048 is explicitly named as a zero-day exploited in attacks by Broadcom's October 2023 security advisory. Article [1] directly states 'Broadcom fixes three VMware zero-days exploited in attacks,' and article [2] confirms Chinese hackers exploited this vulnerability as a zero-day for two years prior to the October 2023 patch, establishing clear in-the-wild exploitation before patch availability.