Assisted Migration Agent
Monthly
Arbitrary file write in kubev2v assisted-migration-agent allows an unauthenticated attacker on the same LAN to achieve code execution on the appliance by uploading a crafted gzipped tarball that bypasses path traversal checks via chained symlinks. The flaw resides in the VDDK tarball extraction routine (extractTarGz in internal/services/vddk.go) and has a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified at time of analysis.
Credential interception in kubev2v assisted-migration-agent allows network-positioned attackers to harvest vCenter administrator credentials because the agent's vCenter client establishes TLS connections with certificate verification effectively disabled by default. The flaw, reported by Red Hat and tracked as EUVD-2026-36032, has no public exploit identified at time of analysis and an EPSS score of 0.01% (percentile 1%), but successful MITM exploitation yields full administrative access to the targeted vCenter.
Arbitrary file write in kubev2v assisted-migration-agent allows an unauthenticated attacker on the same LAN to achieve code execution on the appliance by uploading a crafted gzipped tarball that bypasses path traversal checks via chained symlinks. The flaw resides in the VDDK tarball extraction routine (extractTarGz in internal/services/vddk.go) and has a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified at time of analysis.
Credential interception in kubev2v assisted-migration-agent allows network-positioned attackers to harvest vCenter administrator credentials because the agent's vCenter client establishes TLS connections with certificate verification effectively disabled by default. The flaw, reported by Red Hat and tracked as EUVD-2026-36032, has no public exploit identified at time of analysis and an EPSS score of 0.01% (percentile 1%), but successful MITM exploitation yields full administrative access to the targeted vCenter.