The vendor has addressed the issue (CVE-2023-20858). Are you interested in digging a little more? (23rd Feb 2023)

Preface: Fundamentally, so called software application system is integrated with operating system, web server/server, database and application software program. If software application program design have relationship with web server bundle application framework. Such impact not only affect a single component.

Background: VMware Carbon Black Cloud Endpoint™ Standard is a next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyberattacks. Furthermore, VMware Carbon Black® App Control™ is used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. VMware Carbon Black App Control software platform requirements for App Control Server, the SQL Server database that stores App Control data, and the App Control Agent.

Vulnerability details: VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Impact: A vulnerability, which was classified as critical, has been found in VMware Carbon Black App Control up to 8.7.7/8.8.5/8.9.3.

One of the possibilities of encountering the CVE-2023-20858 vulnerability: (Observation) VMware Carbon Black App Control 8.8 works with Microsoft .NET Framework 4.8.
A zero-day vulnerability released by Microsoft this month on February 14, 2023(CVE-2023-21808). Design weakness leads to RCE (Remote Code Execution). This design weakness possible trigger similar Carbon black App-Control vulnerability (CVE-2023-20858).

Official announcement: For details of vulnerability on carbon black product published by VMware. Please refer to official article –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.