
UNC3886: vCenter RCE to ESXi Persistence (CVE-2023-34048)
VMware vCenter logs an unexpected crash of its DCERPC service at 06:39, minutes after a burst of malformed payloads from a single external address. By morning, unsigned VMware Installation Bundles have been deployed on every ESXi hypervisor, a VMCI reverse-tunnel daemon is routing covert traffic from the kernel layer, and guest VM credentials have been extracted without a single packet crossing the guest network stack. Piece together the chain from the management-plane exploit through the hypervisor implant to the below-the-guest credential theft.
Launches today
Friday, July 3, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
9 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever