How is CVE-2026-53475 exploited?

Network reachability (info): The attacker must be positioned on an adjacent network such as a LAN, VPN segment, or shared cloud subnet where they can intercept traffic between the agent and vCenter. Authentication (not-required): No credentials or prior account access are needed; the agent accepts any certificate presented during the TLS handshake. Victim interaction (not-required): No user action is required; exploitation occurs passively whenever the agent initiates a connection to vCenter. Attack complexity (info): Exploit reliability is high with no race conditions or special environmental prerequisites beyond adjacent-network positioning.

What is the impact of CVE-2026-53475?

Attacker reads vCenter administrator credentials in transit, including usernames and passwords or session tokens passed during the TLS handshake or application-layer authentication. Attacker uses harvested credentials to log in to vCenter directly, gaining full administrative control over the virtualization infrastructure. Attacker can enumerate, modify, or delete virtual machines, datastores, and network configurations within the compromised vCenter environment.

Back to search

CRITICALCVE-2026-53475Published 2026-06-10Modified 2026-06-10CNA redhat

CVE-2026-53475: Assisted-migration-agent: tls verification disabled on all vcenter connections

A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: b940fec9f5032a0801e994054d30e81d64b2942a
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a TLS verification bypass in assisted-migration-agent, a tool that communicates with VMware vCenter during workload migrations. The flaw is reachable over an adjacent network (LAN, VPN, or similar shared segment) with no authentication required, because the agent hardcodes insecure TLS settings and never validates the server certificate. A man-in-the-middle attacker positioned on that network segment can intercept the connection, harvest vCenter administrator credentials, and gain unauthorized access to the vCenter environment. A patched-image rebuild at the fix commit is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle assisted-migration-agent. No manual feed subscription is needed.

Available

Triage

HarborGuard scores this finding at CVSS 9.3 Critical (v3.1) and applies per-environment compliance policy weighting to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

A patched-image rebuild pinned to commit b940fec9f5032a0801e994054d30e81d64b2942a becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard runs the rebuild, executes the configured regression-test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attacker must be positioned on an adjacent network such as a LAN, VPN segment, or shared cloud subnet where they can intercept traffic between the agent and vCenter.
AuthenticationNot required
No credentials or prior account access are needed; the agent accepts any certificate presented during the TLS handshake.
Victim interactionNot required
No user action is required; exploitation occurs passively whenever the agent initiates a connection to vCenter.
Attack complexityDetail
Exploit reliability is high with no race conditions or special environmental prerequisites beyond adjacent-network positioning.

Blast Radius

Attacker reads vCenter administrator credentials in transit, including usernames and passwords or session tokens passed during the TLS handshake or application-layer authentication.
Attacker uses harvested credentials to log in to vCenter directly, gaining full administrative control over the virtualization infrastructure.
Attacker can enumerate, modify, or delete virtual machines, datastores, and network configurations within the compromised vCenter environment.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all connected registries and CI pipelines, matching images that include vulnerable versions of assisted-migration-agent. Given the Critical severity and the credential-interception impact, this CVE is prioritized in triage routing. A patched-image rebuild at commit b940fec9f5032a0801e994054d30e81d64b2942a is available for any environment where an affected image is identified. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for Critical-severity issues is around 90 minutes. Where compliance policy requires manual review, HarborGuard surfaces the finding with full CVSS context and fix-version details so engineers can act immediately. As an interim compensating control, network policy rules that restrict the agent's reachable network segment to only the intended vCenter host will reduce the window for adjacent-network interception until the patched image is deployed.

See how HarborGuard automates this

Fix available

b940fec9f5032a0801e994054d30e81d64b2942a

Affected packages

unknown
< b940fec9f5032a0801e994054d30e81d64b2942a (from 0)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available