Description
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Published: 2026-06-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Assisted Migration Agent hardcodes insecure Transport Layer Security for all connections to vCenter, disabling certificate validation. This allows an attacker to perform a Man‑in‑the‑Middle attack and capture administrator credentials that are transmitted over the network, resulting in unauthorized access to the vCenter server. The weakness is a classic TLS validation bypass (CWE‑295) and poses a severe confidentiality and integrity threat to the entire virtual infrastructure.

Affected Systems

The vulnerability is present in all versions of the Assisted Migration Agent, as the TLS verification setting is globally disabled regardless of configuration. No specific version scope is defined, so any installation that actively connects to vCenter without custom TLS verification is affected.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical, indicating that a successful exploit results in complete compromise of vCenter authentication. Exploitation requires only network presence between the agent and vCenter, enabling a remote attacker to intercept traffic; there is no local privilege or special conditions reported. The EPSS score is not available, but the absence of a KEV listing does not diminish the severity of the exposed traffic. An attacker can harvest credentials by simply positioning themselves in the communication path, a readily achievable attack vector in many data centre environments.

Generated by OpenCVE AI on June 10, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Assisted Migration Agent to the latest release that removes the hardcoded insecure TLS setting (see PR #268 for the patch changes).
  • If an immediate update is not possible, reconfigure the agent to enforce proper TLS certificate verification by disabling the hardcoded insecure mode or by providing a valid certificate chain.
  • Restrict network access between the agent and vCenter to a trusted, isolated network segment and monitor for anomalous traffic to detect potential MITM attempts.

Generated by OpenCVE AI on June 10, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v assisted Migration Agent
CPEs cpe:2.3:a:kubev2v:assisted_migration_agent:*:*:*:*:*:*:*:*
Vendors & Products Kubev2v assisted Migration Agent

Fri, 12 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Kubev2v
Kubev2v assisted-migration-agent
Vendors & Products Kubev2v
Kubev2v assisted-migration-agent

Thu, 11 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Title Assisted-migration-agent: tls verification disabled on all vcenter connections
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Kubev2v Assisted-migration-agent Assisted Migration Agent
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:51:41.188Z

Reserved: 2026-06-09T17:03:29.628Z

Link: CVE-2026-53475

cve-icon Vulnrichment

Updated: 2026-06-10T14:51:37.154Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T15:16:42.090

Modified: 2026-06-16T14:41:25.200

Link: CVE-2026-53475

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-07T00:00:00Z

Links: CVE-2026-53475 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:41:50Z

Weaknesses
  • CWE-295

    Improper Certificate Validation