VMware has issued a warning stating that a critical command injection vulnerability in Aria Operations for Networks, formerly known as vRealize Network Insight, is actively being exploited in the wild. The vulnerability, identified as CVE-2023-20887, enables a malicious actor with network access to execute remote code by performing a command injection attack.
This security flaw affects VMware Aria Operations Networks versions 6.x, and the company has released fixes for it in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10, which were made available on June 7, 2023.
According to an update shared by VMware on June 20, the vulnerability has been weaponized and is actively being exploited in real-world attacks. However, the exact details of these attacks are currently unknown.
VMware confirmed the exploitation of CVE-2023-20887, and data from threat intelligence firm GreyNoise revealed ongoing exploitation originating from two different IP addresses located in the Netherlands.
The disclosure of this vulnerability comes after a researcher named Sina Kheirkhah, from the Summoning Team, identified and reported the flaw. Kheirkhah has also released a proof-of-concept (PoC) demonstrating the exploitation of the vulnerability. The PoC highlights that the vulnerability consists of a chain of two issues that can be leveraged by unauthenticated attackers to achieve remote code execution (RCE).
The rapid exploitation of newly disclosed vulnerabilities by both state-sponsored actors and financially motivated groups continues to pose a significant threat to organizations worldwide. This recent disclosure follows a report from Mandiant that uncovered active exploitation of another VMware vulnerability (CVE-2023-20867) by a suspected Chinese actor named UNC3886, who utilized it to backdoor Windows and Linux hosts.