CVE-2017-4952

VMware Xenon 1.x, prior to 1.5.4-CR7_1, 1.5.7_7, 1.5.4-CR6_2, 1.3.7-CR1_2, 1.1.0-CR0-3, 1.1.0-CR3_1,1.4.2-CR4_1, and 1.5.4_8, contains an authentication bypass vulnerability due to insufficient access controls for utility endpoints. Successful exploitation of this issue may result in information disclosure.

Published: 2018-05-02 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2017-4952 is rated Moderate Risk (61/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.94%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2017-4952

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-07-07 4.09% 3.94% -0.15%
2 2026-06-15 1.92% 4.09% +2.17%
3 2025-12-12 1.92%

Full EPSS history (18 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2017-4952

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.0 HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.
3.9 3.6 [email protected]
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:N)
No availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2017-4952

Affected software / configurations for CVE-2017-4952

Vendor Product Version Raw CPE
vmware xenon >= 1.0.0, <= 1.5.3 cpe:2.3:a:vmware:xenon:*:*:*:*:*:*:*:*
vmware xenon 1.1.0 cpe:2.3:a:vmware:xenon:1.1.0:cr0-3:*:*:*:*:*:*
vmware xenon 1.1.0 cpe:2.3:a:vmware:xenon:1.1.0:cr3_1:*:*:*:*:*:*
vmware xenon 1.3.7 cpe:2.3:a:vmware:xenon:1.3.7:cr1_2:*:*:*:*:*:*
vmware xenon 1.4.2 cpe:2.3:a:vmware:xenon:1.4.2:cr4_1:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr2:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr3:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr4:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr5:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr6:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr6_1:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr6_2:*:*:*:*:*:*
vmware xenon 1.5.4 cpe:2.3:a:vmware:xenon:1.5.4:cr7:*:*:*:*:*:*
vmware xenon 1.5.4_8 cpe:2.3:a:vmware:xenon:1.5.4_8:*:*:*:*:*:*:*
vmware xenon 1.5.7_7 cpe:2.3:a:vmware:xenon:1.5.7_7:*:*:*:*:*:*:*

References for CVE-2017-4952

URL Tags
http://seclists.org/oss-sec/2018/q1/153 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/103093 Third Party Advisory VDB Entry
https://github.com/vmware/xenon/commit/055ae13603f0cc3cd7cf59f20ce314bf8db583e1 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/06b9947cf603ba40fd8b03bfeb2e84528a7ab592 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/30ae41bccf418d88b52b35a81efb3c1304b798f8 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/5682ef8d40569afd00fb9a5933e7706bb5b66713 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/756d893573414eec8635c2aba2345c4dcf10b21c Patch Third Party Advisory
https://github.com/vmware/xenon/commit/7a747d82b80cd38d2c11a0d9cdedb71c722a2c75 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/b1fd306047ecdac82661d636ebee801a7f2b3a0a Patch Third Party Advisory
https://github.com/vmware/xenon/commit/c23964eb57e846126daef98ef7ed15400313e977 Patch Third Party Advisory
https://github.com/vmware/xenon/commit/ec30db9afada9cb52852082ce4d7d0095524f3b3 Patch Third Party Advisory
cvelogic Threat Intelligence