Cisco has released a security advisory regarding Umbrella Virtual Appliances.
The advisory states that the vulnerability “could allow an unauthenticated, remote attacker to impersonate a VA” and is due to the presence of a static SSH host key. The attack vector is Man-in-the-Middle and SSH is not enabled by default on these virtual appliances.
The vulnerability has been assigned CVE-2022-20773 with a CVSS 3.1 Base Score of 7.5 (High)
Cisco has released version 3.3.2 to fix this vulnerability.
This vulnerability affects the Cisco Umbrella Virtual Appliance for both VMWare ESXi and Hyper-V running a software version earlier than 3.3.2.
The version of the VA is verified by opening the VA in the hypervisor console or navigating to the Umbrella Dashboard from Deployments > Configuration > Sites and Active Directory
To determine if SSH is enabled, log in to the hypervisor console, enter configuration mode by pressing CTRL+B, and enter the command config va show.
The following example shows the output of the config va show command for a device that has SSH enabled:
~ $ config va show
Virtual Appliance Configuration
Local DNS –
ip address :
DNSSEC : disabled
Internal Domains Count: 0
Resolvers: 126.96.36.199 188.8.131.52
SSH access : enabled