A critical vulnerability in VMware Aria Operations for Networks is currently being actively exploited, according to a confirmation from the virtualization vendor on Tuesday. This comes after VMware disclosed three vulnerabilities on June 7 that affect its network and application monitoring tool Aria Operations: CVE-2023-20887, CVE-2023-20888, and CVE-2023-20889. The company has since released patches for all three vulnerabilities, along with additional technical information, which can be accessed through VMware’s security advisory.
Of the three vulnerabilities, CVE-2023-20887 is considered the most severe with a CVSSv3 severity rating of 9.8. It is a critical command injection vulnerability. CVE-2023-20888, on the other hand, is a critical deserialization authentication vulnerability with a severity rating of 9.1. Finally, CVE-2023-20889 is an information disclosure vulnerability with a severity rating of 8.8.
In its advisory on June 20, VMware stated that CVE-2023-20887, the critical flaw, had already been exploited. The exploitation activity was first confirmed by GreyNoise in a blog post, with a threat analytics scan revealing two IP addresses attempting to exploit the vulnerability.
All three vulnerabilities were initially reported to VMware by Trend Micro’s Zero Day Initiative (ZDI), with recognition given to Sina Kheirkhah of Summoning Team and an anonymous researcher who collaborated with ZDI, in VMware’s advisory. Last week, Kheirkhah published a proof-of-concept exploit for CVE-2023-20887 on GitHub and his blog, a week before reports of exploitation were made public.
Security researcher Y4er has stated that CVE-2023-20887 is actually a patch bypass for CVE-2022-31702, a critical command injection vulnerability that affected VMware vRealize Network Insight (the previous name of VMware Aria Operations) and was patched by VMware in December. Y4er’s analysis article provides further information on this matter.
It is worth noting that VMware has recently faced several vulnerabilities that were exploited in the wild. Just earlier this month, Mandiant discovered a new zero-day vulnerability in VMware ESXi that was being used by a Chinese APT. In April, multiple threat intelligence providers detected threat activity, including cryptomining, related to the VMware Workspace One flaw CVE-2022-22954. Furthermore, in the past year, the Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to address two previously disclosed VMware flaws that were actively exploited.
When asked about the scope of exploitation, VMware declined to provide details to TechTarget Editorial. However, a spokesperson emphasized the company’s commitment to customer security and recommended that customers apply the software updates listed in their security advisory.
It is crucial for organizations using VMware Aria Operations for Networks to promptly implement the provided patches and stay diligent in applying security updates to protect their systems and data. With the active exploitation of vulnerabilities becoming increasingly common, it is essential for companies to remain proactive in addressing potential security risks.