Threat Research

VMware ESXi Command Injection Vulnerability

By Zhouyuan Yang | September 26, 2019


VMware is the market leader in cloud infrastructure software, with over 41% market share. The VMware ESXi solution is a bare metal hypervisor that installs directly onto your physical server and partitions it into multiple virtual machines.

The FortiGuard Labs team recently discovered a command injection vulnerability in VMware ESXi. This vulnerability is identified as CVE-2017-16544. This command injection vulnerability is caused by the built-in BusyBox. A local attacker could create or upload a file with a crafted filename, allowing the attacker to execute arbitrary commands using the victim’s permission when the victim tries to access, modify, or delete this file from the terminal.

This command injection vulnerability affects VMware versions 6.0, 6.5 and 6.7.


The command injection vulnerability is caused by the add_match function in BusyBox. BusyBox doesn’t sanitize filenames, which can result in executing an escape sequence in the terminal.

An attacker could create a PoC file with the vi editor using the following commands: “vi test' [enter] some_commands_here [enter] ' [enter]”, then save the file. In this example, I am using the command “date” to demonstrate this issue, as shown in Figure 1.

Figure 1. Creating a PoC for CVE-2017-16544

When anyone tries to access, modify or delete this file, the injected command “date” will be executed in their terminal.

Figure 2. A VMware ESXi Command Injection is triggered

To force the victim to access, modify, or delete this file in the terminal, the attacker could create the file with a name starting with “\\\”. This new PoC could not then be deleted in the web interface, as shown in Figure 3 & 4.

Figure 3. Creating a GUI safe PoC file for CVE-2017-16544

Figure 4. Failure to delete the PoC file in the web interface

For a more successful attack, the attacker could build a zip file including the PoC file, which can be hidden with a system ISO file, a patch, or a pre-built virtual machine to trick the victim into uploading and unzipping it.

The victim may notice this crafted file because it has an abnormal filename, but it cannot be deleted in the web interface, as shown in Figure 4 above. Instead, the victim has to go to the terminal to delete it. Once the victim tries to access, modify, or delete the PoC file in the terminal, the injected commands will then be executed with the victim’s terminal permission.

Figure 5. Hiding the PoC in a zip file


FortiGuard Labs contacted VMware about this discovery in August, 2018 and have worked with VMware to remediate this issue. On 16th of September 2019, VMware issued a patch to address this issue. All users of vulnerable versions of VMware ESXi are encouraged to upgrade to the latest VMware ESXi version or apply the latest patches immediately.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief. 

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.