VMware Aria Operations for Networks vulnerability exploited in the wild (CVE-2023-20887)

CVE-2023-20887, a pre-authentication command injection vulnerability in VMware Aria Operations for Networks (formerly vRealize Network Insight), has been spotted being exploited in the wild.

There are no workarounds to mitigate the risk of exploitation – enterprise admins are advised to upgrade their deployments with patches.

CVE-2023-20887 exploited

CVE-2023-20887 is one of three vulnerabilities recently discovered by Sina Kheirkhah of Summoning Team and an anonymous researcher and privately reported to VMware.

“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” the company confirmed.

A PoC exploit for CVE-2023-20887 has been published by Kheirkhah on June 13 and, according to GreyNoise, attempts to exploit the flaw started two days after.

“We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands,” GreyNoise research analyst Jacob Fisher noted.

CVE-2023-20887, CVE-2023-20888 (an authenticated deserialization vulnerability) and CVE-2023-20889 (an information disclosure vulnerability) affect versions 6.x of the solution. Patches for each version are available here.