Description
A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Published: 2026-06-10
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Assisted Migration Agent hardcodes insecure Transport Layer Security for all connections to vCenter, disabling certificate validation. This allows an attacker to perform a Man‑in‑the‑Middle attack and capture administrator credentials that are transmitted over the network, resulting in unauthorized access to the vCenter server. The weakness is a classic TLS validation bypass (CWE‑295) and poses a severe confidentiality and integrity threat to the entire virtual infrastructure.

Affected Systems

The vulnerability is present in all versions of the Assisted Migration Agent, as the TLS verification setting is globally disabled regardless of configuration. No specific version scope is defined, so any installation that actively connects to vCenter without custom TLS verification is affected.

Risk and Exploitability

The CVSS score of 9.3 classifies the flaw as critical, indicating that a successful exploit results in complete compromise of vCenter authentication. Exploitation requires only network presence between the agent and vCenter, enabling a remote attacker to intercept traffic; there is no local privilege or special conditions reported. The EPSS score is not available, but the absence of a KEV listing does not diminish the severity of the exposed traffic. An attacker can harvest credentials by simply positioning themselves in the communication path, a readily achievable attack vector in many data centre environments.

Generated by OpenCVE AI on June 10, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Assisted Migration Agent to the latest release that removes the hardcoded insecure TLS setting (see PR #268 for the patch changes).
  • If an immediate update is not possible, reconfigure the agent to enforce proper TLS certificate verification by disabling the hardcoded insecure mode or by providing a valid certificate chain.
  • Restrict network access between the agent and vCenter to a trusted, isolated network segment and monitor for anomalous traffic to detect potential MITM attempts.

Generated by OpenCVE AI on June 10, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Title Assisted-migration-agent: tls verification disabled on all vcenter connections
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-10T14:51:41.188Z

Reserved: 2026-06-09T17:03:29.628Z

Link: CVE-2026-53475

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:42.090

Modified: 2026-06-10T15:16:42.090

Link: CVE-2026-53475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses