VMware has updated a security advisory, initially published two weeks ago, to alert customers that a critical vulnerability in vRealize, which allows remote code execution, is actively being exploited in attacks. The company stated, "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild." This announcement comes after several warnings from cybersecurity firm GreyNoise and the release of technical details and proof-of-concept exploit code by security researcher Sina Kheirkhah. GreyNoise research analyst Jacob Fisher said, "We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands." GreyNoise CEO Andrew Morris also alerted VMware admins of this ongoing malicious activity, which likely led to VMware updating its advisory. GreyNoise now offers a dedicated tag to help track IP addresses observed while attempting to exploit CVE-2023-20887.
The vulnerability affects VMware Aria Operations for Networks (formerly vRealize Network Insight), a network analytics tool that assists administrators in optimizing network performance and managing VMware and Kubernetes deployments. Unauthenticated threat actors can exploit this command injection flaw in low-complexity attacks that do not require user interaction. Sina Kheirkhah explained the root cause of the security bug, stating, "VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user."
There are no workarounds available to eliminate the attack vector for CVE-2023-20887, so administrators must patch all VMware Aria Operations Networks 6.x on-prem installations to ensure they are secure from ongoing attacks. A comprehensive list of security patches for all vulnerable Aria Operations for Networks versions can be found on VMware's Customer Connect website.