Open Nav
Sign Up

Security Flaw in VMware’s Enhanced Authentication Plugin (EAP) Puts Active Directory at Risk

Bar Refael

February 21, 2024

VMware has issued an urgent advisory to uninstall the deprecated Enhanced Authentication Plugin (EAP) due to a critical security flaw identified as CVE-2024-22245 (CVSS score: 9.6). The vulnerability is an arbitrary authentication relay bug that could compromise Active Directory.

Vulnerability Details:

  • CVE ID: CVE-2024-22245
  • CVSS Score: 9.6 (Critical)
  • Affected Software: VMware Enhanced Authentication Plugin (EAP)
  • Impact: Arbitrary authentication relay, compromising Active Directory

Description:

The vulnerability allows a malicious actor to trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). EAP, deprecated as of March 2021, is designed for direct login to vSphere’s management interfaces and tools through a web browser. A related session hijack flaw (CVE-2024-22250, CVSS score: 7.8) was also discovered, allowing a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session.

Mitigation Strategies:

  • Uninstall EAP: VMware recommends uninstalling the Enhanced Authentication Plugin altogether to mitigate potential threats. Use the client operating system’s method of uninstalling software to remove EAP from client systems.
  • Monitor for Suspicious Activity: Keep an eye on Active Directory logs for any unusual activity that may indicate exploitation attempts.
  • Regular Updates: Ensure that all VMware and other software are up to date with the latest security patches and updates.

Recommendations:

IT and security teams should take immediate action to uninstall the Enhanced Authentication Plugin from affected systems. Given the critical nature of the vulnerability and its potential impact on Active Directory, swift remediation is essential to maintain the security of the network and sensitive data.

Stay safe and informed,

OP Innovate Research Team.

Resources highlights

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463

CVE-2025-6554: Chrome V8 Zero-Day Exploited in the Wild

On June 30, 2025, Google issued an emergency patch for a critical zero-day vulnerability in its Chrome browser, tracked as CVE-2025-6554. The flaw resides in…

Read more >

CVE-2025-6554

Critical Cisco ISE Vulnerabilities Lead to Unauthenticated RCE (CVE-2025-20281 & CVE-2025-20282)

On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine…

Read more >

CVE-2025-20281 & CVE-2025-20282

Critical Vulnerability in MegaRAC BMC Added to CISA’s KEV: CVE-2024-54085

On June 25, 2025, CISA added CVE‑2024‑54085, a critical authentication bypass vulnerability in the MegaRAC SPx Baseboard Management Controller (BMC) firmware, to its Known Exploited…

Read more >

CVE-2024-54085

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls

‘UMBRELLA STAND’ Malware Targets Fortinet FortiGate Firewalls The UK’s National Cyber Security Centre (NCSC) has issued an alert regarding a sophisticated malware campaign dubbed “UMBRELLA…

Read more >

umbrella stand fortinet

CVE-2025-49144: Privilege Escalation in Notepad++ Installer Enables Full SYSTEM Access

A critical local privilege escalation vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate to NT AUTHORITY\SYSTEM using binary planting techniques. Tracked as CVE-2025-49144,…

Read more >

CVE-2025-49144
Under Cyber Attack?

Fill out the form and we will contact you immediately.