vmware-vcenter-attack

When to use

Trigger when external recon shows ANY of:

• Banner: "VMware vCenter Server", "VMware vSphere Client"
• URL paths: /ui, /ui/login, /websso/SAML2/Metadata, /sdk, /mob (Managed Object Browser)
• TLS cert SAN includes vcenter / vsphere / vcsa / psc / vmware
• Workspace ONE Access / Identity Manager: /SAAS, /SAAS/auth, /SAAS/login, /SAAS/horizon
• VMware Aria / vRealize: /vco, /vco-controlcenter, /orchestrator, /lcm/api/v1
• Horizon View: /portal, /admin

Do NOT use for:

• Internal-network vCenter (out of scope — external boundary discipline)
• Pure ESXi hypervisor exposed without management plane (rare on internet; flag as separate finding)

Step 1 — Version fingerprinting