VDI vulnerabilities

Showing 1 - 50 of 94 CVEs

  1. CVE-2026-3055 Published Mar 23, 2026

    Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

  2. CVE-2026-4368 Published Mar 23, 2026

    Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup

  3. CVE-2026-22719 Published Feb 25, 2026

    VMware Aria Operations contains a command injection vulnerability. A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress.  To remediate CVE-2026-22719, apply the patches listed in the 'Fixed Version' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001  Workarounds for CVE-2026-22719 are documented in the 'Workarounds' column of the ' Response Matrix https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947 ' in VMSA-2026-0001

  4. CVE-2026-22769 Published Feb 17, 2026

    Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.

  5. CVE-2026-21533 Published Feb 10, 2026

    Improper privilege management in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.

  6. CVE-2026-21525 Published Feb 10, 2026

    Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally.

  7. CVE-2026-21519 Published Feb 10, 2026

    Access of resource using incompatible type ('type confusion') in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

  8. CVE-2026-21514 Published Feb 10, 2026

    Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

  9. CVE-2026-21513 Published Feb 10, 2026

    Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.

  10. CVE-2026-21510 Published Feb 10, 2026

    Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.

  11. CVE-2026-21982 Published Jan 20, 2026

    Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

  12. CVE-2026-21956 Published Jan 20, 2026

    Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

  13. CVE-2026-20805 Published Jan 13, 2026

    Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.

  14. CVE-2025-64740 Published Nov 13, 2025

    Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access.

  15. CVE-2025-60703 Published Nov 11, 2025

    Untrusted pointer dereference in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.

  16. CVE-2025-59230 Published Oct 14, 2025

    Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

  17. CVE-2025-6759 Published Jul 8, 2025

    Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Windows Virtual Delivery Agent for CVAD and Citrix DaaS

  18. CVE-2025-6543 Published Jun 25, 2025

    Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

  19. CVE-2025-5777 Published Jun 17, 2025

    Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

  20. CVE-2025-5349 Published Jun 17, 2025

    Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway

  21. CVE-2025-21416 Published Apr 30, 2025

    Missing authorization in Azure Virtual Desktop allows an authorized attacker to elevate privileges over a network.

  22. CVE-2025-27482 Published Apr 8, 2025

    Sensitive data storage in improperly locked memory in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

  23. CVE-2025-27480 Published Apr 8, 2025

    Use after free in Remote Desktop Gateway Service allows an unauthorized attacker to execute code over a network.

  24. CVE-2025-22226 Published Mar 4, 2025

    VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

  25. CVE-2025-22225 Published Mar 4, 2025

    VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

  26. CVE-2025-22224 Published Mar 4, 2025

    VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

  27. CVE-2025-21297 Published Jan 14, 2025

    Windows Remote Desktop Services Remote Code Execution Vulnerability

  28. CVE-2024-49115 Published Dec 12, 2024

    Windows Remote Desktop Services Remote Code Execution Vulnerability

  29. CVE-2024-49106 Published Dec 12, 2024

    Windows Remote Desktop Services Remote Code Execution Vulnerability

  30. CVE-2024-49105 Published Dec 12, 2024

    Remote Desktop Client Remote Code Execution Vulnerability

  31. CVE-2024-8069 Published Nov 12, 2024

    Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server

  32. CVE-2024-8068 Published Nov 12, 2024

    Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain

  33. CVE-2024-43533 Published Oct 8, 2024

    Remote Desktop Client Remote Code Execution Vulnerability

  34. CVE-2024-38813 Published Sep 17, 2024

    The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

  35. CVE-2024-38812 Published Sep 17, 2024

    The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

  36. CVE-2024-7889 Published Sep 11, 2024

    Local privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows

  37. CVE-2024-5148 Published Sep 2, 2024

    A flaw was found in the gnome-remote-desktop package. The gnome-remote-desktop system daemon performs inadequate validation of session agents using D-Bus methods related to transitioning a client connection from the login screen to the user session. As a result, the system RDP TLS certificate and key can be exposed to unauthorized users. This flaw allows a malicious user on the system to take control of the RDP client connection during the login screen-to-user session transition.

  38. CVE-2024-6286 Published Jul 10, 2024

    Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Citrix Workspace app for Windows

  39. CVE-2024-6151 Published Jul 10, 2024

    Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Virtual Delivery Agent for Windows used by Citrix Virtual Apps and Desktops and Citrix DaaS

  40. CVE-2024-6150 Published Jul 10, 2024

    A non-admin user can cause short-term disruption in Target VM availability in Citrix Provisioning

  41. CVE-2024-6149 Published Jul 10, 2024

    Redirection of users to a vulnerable URL in Citrix Workspace app for HTML5

  42. CVE-2024-6148 Published Jul 10, 2024

    Bypass of GACS Policy Configuration settings in Citrix Workspace app for HTML5

  43. CVE-2024-6235 Published Jul 10, 2024

    Sensitive information disclosure in NetScaler Console

  44. CVE-2024-38077 Published Jul 9, 2024

    Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

  45. CVE-2024-38076 Published Jul 9, 2024

    Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

  46. CVE-2024-38074 Published Jul 9, 2024

    Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability

  47. CVE-2024-37079 Published Jun 18, 2024

    vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

  48. CVE-2024-27244 Published May 15, 2024

    Insufficient verification of data authenticity in the installer for Zoom Workplace VDI App for Windows may allow an authenticated user to conduct an escalation of privilege via local access.

  49. CVE-2024-24697 Published Feb 14, 2024

    Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.

  50. CVE-2024-24691 Published Feb 14, 2024

    Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.