Preface: In order to avoid the impact of the vulnerability. VMware do not provide the details for CVE-2020-3961.
Synopsis: This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Vulnerability details: VMware Horizon Client for Windows contains a privilege escalation vulnerability due to folder permission configuration and unsafe loading of libraries.
My observation: Perhaps the idea displayed on attached diagram may also have the way to do the same thing.
Reference: A local dll injection vulnerability has been discovered in the official Notepad++ software.The issue allows local attackers to inject code to vulnerable libraries to compromise the process or to gain higher access privileges.
Official announcement – please refer following link https://www.vmware.com/security/advisories/VMSA-2020-0013.html