VMware Exploited Attacks Target vRealize Flaw

VMware revised a two-week-old security advisory to alert customers that a now-patched serious vulnerability permitting remote code execution is being actively exploited in attacks.

“VMware has confirmed that CVE-2023-20887 has been exploited in the wild,” the company said today.

This notification comes after several warnings from cybersecurity firm GreyNoise, the first of which was given one week after VMware corrected the security weakness on June 15 and only two days after security researcher Sina Kheirkhah provided technical information and proof-of-concept exploit code.

“Discover the vRealize flaw exploited in attacks and heed VMware’s warning. Protect your systems from potential vulnerabilities. said.

GreyNoise CEO Andrew Morris also notified VMware administrators of the continuous malicious behaviour earlier today, prompting VMware to amend its advisory.

GreyNoise has introduced a dedicated tag, empowering users to effectively monitor IP addresses involved in attempting to exploit CVE-2023-20887. With this new feature, keeping track of suspicious activities becomes seamless and hassle-free. Stay ahead of potential threats with GreyNoise’s enhanced capabilities.

Greyscale Attempt
CVE-2023-20887 exploit attempts July (GreyNoise)

Unveiling a significant flaw, the impact extends deeply into VMware Aria Operations for Networks (formerly known as vRealize Network Insight), a pivotal network analytics tool extensively utilized by administrators. With this powerful tool, admins are empowered to bolster network performance and seamlessly navigate VMware and Kubernetes deployments. Nevertheless, the identification of this vulnerability emphasizes the imperative of promptly addressing the issue, recognizing the indispensable role this tool plays in optimizing networks. It is crucial to take immediate action in light of the critical importance this tool holds in enhancing network performance. Given the severity of this vulnerability, immediate attention is crucial, considering the pivotal role played by this product in optimizing and managing networks.

This command injection bug can be exploited by unauthenticated threat actors in low-complexity attacks that do not involve user input.

“VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when receiving user input via the Apache Thrift RPC interface,” Kheirkhah wrote in a root cause investigation of the security flaw.

This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system as the root user.

Because there are no workarounds for CVE-2023-20887, administrators must patch all VMware Aria Operations Networks 6.x on-premises installations to guarantee they remain protected from continuing assaults.

On, you can find a complete list of security updates for any vulnerable Aria Operations for Networks versions.

VMware’s Customer Connect website.

CVE-2023-20887Multiple vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight). Command injection vulnerability.ReferenceJune 2023
CVE-2023-20888Multiple vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight).ReferenceJune 2023
CVE-2023-20889Multiple vulnerabilities in Aria Operations for Networks (formerly vRealize Network Insight).ReferenceJune 2023
CVE-2023-20867Authentication Bypass vulnerability in VMware Tools.ReferenceJune 2023
CVE-2023-20892Heap overflow vulnerability in vCenter Server.ReferenceJune 2023
CVE-2023-20899Bypass authentication vulnerability in VMware SD-WAN.ReferenceJuly 2023
CVE-2023-20869Multiple security vulnerabilities in VMware Workstation and Fusion. Stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality.ReferenceApril 2023Empowers administrators.
Share this article:

Leave a Reply

Your email address will not be published. Required fields are marked *

most popular