A vulnerability in VMware Aria Operations for Networks, previously known as vRealize Network Insight, is currently being exploited by malicious actors, according to researchers. The flaw, which was patched earlier this month, allows for remote code execution through command injection and is considered to be of critical severity.
Researchers from Akamai, a leading content delivery network and cloud service provider, have reported that the scale of active scanning for sites vulnerable to this vulnerability, known as CVE-2023-20887, is much greater than originally thought. They have observed a total of 695,072 attacks by 508 unique IP addresses. Moreover, Akamai has detected over 27,000 of its customers’ sites being scanned.
Aside from CVE-2023-20887, VMware also released patches for two other critical vulnerabilities in Aria Operations for Networks. One of these flaws, designated as CVE-2023-20888, is a deserialization issue. Deserialization vulnerabilities involve the parsing and interpretation of user-controlled data, making them a common cause of security breaches. Both CVE-2023-20887 and CVE-2023-20888 can be exploited if attackers have network access to the vulnerable application. However, the latter vulnerability requires the attacker to have “member” role credentials, making it less practical to exploit.
The third vulnerability, known as CVE-2023-20889, is also a command injection flaw that can lead to sensitive information disclosure. It is rated 8.8 (High) on the CVSS severity scale.
To protect themselves from these vulnerabilities, VMware advises its customers to deploy the patches available for their respective versions as soon as possible. The company has updated its advisory multiple times to reflect the evolving threat landscape. For instance, they have warned that exploit code for CVE-2023-20887 has been released and that active exploitation has occurred in the wild. As confirmed by Akamai and telemetry from GreyNoise, a leading attack monitoring service, the number of attacks has increased since then.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2023-20887 to its catalog of Actively Exploited Vulnerabilities. This catalog acts as a resource for organizations, providing information on vulnerabilities that are actively targeted by threat actors. The addition of CVE-2023-20887 to the catalog places it alongside other notable vulnerabilities, such as the iOS vulnerabilities exploited in Operation Triangulation and a command injection flaw in Zyxel’s network-attached storage devices. Additionally, CISA has included an authentication bypass flaw in VMware Tools, designated as CVE-2023-20867, in the catalog. This flaw was exploited as a zero-day vulnerability by a Chinese cyberespionage actor to execute commands inside guest virtual machines from a compromised host.
In a separate announcement, VMware has also released fixes for five vulnerabilities in its vCenter Server product. vCenter Server is a tool used by administrators to manage virtual infrastructure. The vulnerabilities, designated as CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, and CVE-2023-20896, can lead to arbitrary code execution, memory corruption, authentication bypass, and denial-of-service conditions. While there are no reports of these vulnerabilities being exploited in the wild, VMware users are strongly encouraged to apply the available patches to mitigate any potential risks.
Overall, these recent developments highlight the importance of promptly deploying security patches to address known vulnerabilities. As threat actors continue to actively exploit software flaws, organizations must remain vigilant in their efforts to protect their systems and data from potential attacks.
Croatian 
English 
Albanian 
Serbian 