VMware has issued a security advisory warning customers about a critical remote code execution vulnerability tracked as CVE-2023-20887 that’s being exploited in the wild. The company had previously issued patches for the aforementioned vulnerability in addition to two more high-severity bugs in early June.
CVE-2023-20887 was the most severe vulnerability fixed in the June patch, with a CVSS score of 9.8 out of 10. It’s a command injection flaw in Aria Operations for Networks, previously known as vRealize Network Insight. It is a popular network monitoring tool allowing organisations to build optimised and secure network infrastructure.
Another active exploitation confirmation comes from GreyNoise CEO Andrew Morris, whose company observed attacks exploiting the vulnerability starting June 13 from two IP addresses. Since the PoC code for the exploit is openly available on Github, the attack volume is expected to increase in the coming days. At the time of writing, GreyNoise’s website still reports a single IP address running the attack.
The other two vulnerabilities fixed in the patch are tracked as CVE-2023-20888 and CVE-2023-20889, which are high-severity vulnerabilities with CVSS scores of 9.1 and 8.8 out of 10, respectively. CVE-2023-20888 allows a remote attacker to run a decentralisation attack, resulting in remote code execution, while CVE-2023-20889 can allow attackers to run command injection attacks resulting in information disclosure.
There’s no evidence to suggest that the two aforementioned vulnerabilities are being actively exploited, but it’s recommended that users apply the latest updates provided by VMware to prevent accidental exposure. All three bugs have been fixed in VMware Aria Operations for Networks update KB92684.
Since there are no workarounds or additional mitigations to fix the issues other than updating to the latest version, users who don’t update in time can be at massive risk in case the other two vulnerabilities also start getting exploited in the wild.