Security Vulnerability: Public Disclosure – September 27 2018 (CVE-2018-6979)


The VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability (CVE-2018-6979) may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled.This vulnerability is also relevant if certificate-based authentication is not used, but the outcome of exploitation is limited to an information disclosure in those cases. For additional information, please refer to the advisory here.

What can our customers do?

Shared SaaS:All Shared SaaS environments hosted by VMware have been appropriately patched.

Dedicated SaaS and On-Premises: Patches have been made available for all Workspace ONE UEM (AirWatch) Console versions 9.1 and up. On-Premises customers can get the patch for their respective versions below: 

Version Severity Replace with/Apply patch


Critical and above; Patch here.


Critical and above; Patch here


Critical and above; Patch here


Critical and above; Patch here


Critical and above; Patch here


Critical and above; Patch here.


Critical and above; Patch here

Additionally, customers with Dedicated SaaS AirWatch environments can request the fix be applied for their environment by entering a support request. For customers not on any of the listed versions above, please submit a support request. 



If patching your environment is not feasible in a timely manner, please take mitigation steps by disabling SAML authentication for enrollment located under System > Enterprise Integration > Directory Services.

Note:This issue does NOT impact basic and directory enrollment users. If you disable SAML for authentication, you will need to opt into leveraging Basic users that are local to the Workspace ONE Unified Endpoint Management Console or Directory services to take advantage of users stored in AD or LDAP.

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.