Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sz64-mgub-abf2
Vulnerability ID VCID-sz64-mgub-abf2
Aliases CVE-2009-3733
Summary Multiple vulnerabilities have been found in VMware Player, Server, and Workstation, allowing remote and local attackers to conduct several attacks, including privilege escalation, remote execution of arbitrary code, and a Denial of Service.
Status Published
Exploitability 2.0
Weighted Severity 0.8
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.9006 https://api.first.org/data/v1/epss?cve=CVE-2009-3733
epss 0.9006 https://api.first.org/data/v1/epss?cve=CVE-2009-3733
epss 0.9006 https://api.first.org/data/v1/epss?cve=CVE-2009-3733
epss 0.9006 https://api.first.org/data/v1/epss?cve=CVE-2009-3733
epss 0.9006 https://api.first.org/data/v1/epss?cve=CVE-2009-3733
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2009-3733
CVE-2009-3733;OSVDB-59440 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/33310.nse
CVE-2009-3733;OSVDB-59440 Exploit https://www.securityfocus.com/bid/36842/info
GLSA-201209-25 https://security.gentoo.org/glsa/201209-25
Data source Exploit-DB
Date added Oct. 27, 2009
Description VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal
Ransomware campaign use Known
Source publication date Oct. 27, 2009
Exploit type remote
Platform multiple
Source update date May 12, 2014
Source URL https://www.securityfocus.com/bid/36842/info
Data source Metasploit
Description This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.
Note 
Stability:
  - crash-safe
SideEffects:
  - ioc-in-logs
Reliability: []
Ransomware campaign use Unknown
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.9958
EPSS Score 0.9006
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:00:36.730097+00:00 Gentoo Importer Import https://security.gentoo.org/glsa/201209-25 38.0.0