Askhat - stock.adobe.com

Critical VMware Aria Operations bug under active exploitation

Reports of exploitation for a critical command injection flaw in VMware Aria Operations for Networks came roughly a week after a researcher published a proof-of-concept for it.

A critical flaw in VMware Aria Operations for Networks is under active exploitation, the virtualization vendor confirmed Tuesday.

VMware on June 7 disclosed three vulnerabilities affecting VMware's network and application monitoring tool Aria Operations: CVE-2023-20887, CVE-2023-20888 and CVE-2023-20889. Patches for all three vulnerabilities, plus additional technical information, are available now via VMware's security advisory.

CVE-2023-20887 is a critical command injection vulnerability with a CVSSv3 severity rating of 9.8. CVE-2023-20888 is a critical deserialization authentication vulnerability with a severity rating of 9.1. CVE-2023-20889 is an information disclosure vulnerability with a severity rating of 8.8.

On June 20, VMware said in its advisory that CVE-2023-20887, the most severe flaw, had been exploited in the wild. Exploitation activity was first confirmed by GreyNoise in a blog post on Friday. According to a scan from the threat analytics vendor, two IP addresses were detected attempting to exploit the vulnerability.

All three vulnerabilities were reported to VMware by Trend Micro's Zero Day Initiative (ZDI), with acknowledgement given to Sina Kheirkhah of Summoning Team in VMware's advisory and an anonymous researcher who also worked with ZDI. Last week Kheirkhah published an proof-of-concept exploit for CVE-2023-20887 on GitHub and his blog -- roughly a week prior to initial reports of exploitation.

According to security researcher Y4er, CVE-2023-20887 is a patch bypass for CVE-2022-31702, a critical command injection vulnerability affecting VMware vRealize Network Insight (the previous name of VMware Aria Operations) that was patched by VMware in December.

VMware has, in recent months, been subject to several flaws that faced exploitation in the wild. Earlier this month, Mandiant reported the discovery a new zero-day in VMware ESXi that has been used by a Chinese APT. In April, multiple threat intelligence providers detected threat activity, including cryptomining, related to VMware Workspace One flaw CVE-2022-22954. Last year, CISA urged organizations to act after two previously disclosed VMware flaws came under active exploitation.

VMware declined to answer TechTarget Editorial's questions about the scope of exploitation. However, a spokesperson shared the following statement:

"The security of our customers is a priority for VMware, and we recommend that customers apply the software updates provided in our security advisory that was published on June 7 and updated yesterday when we confirmed that exploitation in the wild," the spokesperson said.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

VMware discloses critical, unpatched Cloud Director bug

Dig Deeper on Security analytics and automation