Skip to main content
UNC3886: vCenter RCE to ESXi Persistence (CVE-2023-34048) operation cover
COMING SOONAdvancedPRO

UNC3886: vCenter RCE to ESXi Persistence (CVE-2023-34048)

VMware vCenter logs an unexpected crash of its DCERPC service at 06:39, minutes after a burst of malformed payloads from a single external address. By morning, unsigned VMware Installation Bundles have been deployed on every ESXi hypervisor, a VMCI reverse-tunnel daemon is routing covert traffic from the kernel layer, and guest VM credentials have been extracted without a single packet crossing the guest network stack. Piece together the chain from the management-plane exploit through the hypervisor implant to the below-the-guest credential theft.

1h 20m
9 tasks
150 points
Pro

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

9 objectives unlock when this operation goes live.

1Locate the exploit entry point
2Name the crashed service
3Trace the staging activity
4Identify the SSH enablement mechanism
5Name the malicious VIB package
6Find the persistent backdoor binary
7Locate the covert C2 channel destination
8Trace the guest credential harvest
9Map the VIB backdoor to its ATT&CK technique

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever