VMware spots exploits in the wild for Aria Operations for Networks

VMware has announced that it has learned of exploitation of a security vulnerability first disclosed by the company on June 7.

The company’s advisory covered three vulnerabilities – CVE-2023-20887, CVE-2023-20888 and CVE-2023-20889.

On June 20, VMware added to the advisory that it "has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.”

The exploit is described in this blog post by Summoning Team.

CVE-2023-20887, the post explains, is in VMware Aria Operations for Networks (formerly known as vRealize Network Insight), and “comprises a chain of two issues leading to remote code execution (RCE) that can be exploited by unauthenticated attackers.”

In a proof-of-concept posted to GitHub, Sinsinology said: “VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface."

"This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user.

“The RPC interface is protected by a reverse proxy which can be bypassed,” the post continued, saying that a successful attacker gets root access on the affected system.

VMware has patched the product against the vulnerability.