Critical Start, a leading provider of cybersecurity solutions announced that the company's Section 8 Penetration Testing Team discovered a security vulnerability in VMware NSX SD-WAN environments by Velocloud. This issue could affect a wide range of network devices including routers, switches and firewalls, thereby exposing sensitive, network-based information to unauthorized access and use.
Critical Start found an unauthenticated command injection vulnerability and alerted VMware's Security Response Center. VMware promptly released a patch to address the vulnerability. More detailed information is available in a recent blog post from Critical Start, which includes links to resources for reporting and patching.
Critical Start's Section 8 team followed responsible disclosure procedure by submitting the vulnerability to VMware's Security Response Center and waited for a patch to be released for the affected devices before publishing any information. The vulnerability was also disclosed independently to VMware by security researcher Brian Sullivan from Tevora.
"As networking equipment has increasingly become virtualized and software-defined, it has opened up new attack vectors for criminals and hackers to try and access the systems, data and assets of business of all sizes," said Rob Davis, CEO at Critical Start. "A key part of our security services, the Section 8 PenTest team continues to identify new vulnerabilities and inform vendors of the discoveries so quick action can be taken to resolve the findings. We feel strongly that security is a team effort that requires the diligent efforts of many organizations and individuals working together across the industry."