VMware Aria Operations for Networks unauthenticated RCE flaw

Target Industry

Indiscriminate, opportunistic targeting.

Overview

A command injection vulnerability has been recently discovered within VMware Aria Operations for Networks. The flaw, tracked as CVE-2023-20887 (CVSSv3 score: 9.8) allows an unauthenticated threat actor with access to Aria Operations to exploit the vulnerability to attain remote code execution (RCE) capabilities.

Impact

Successful exploitation of CVE-2023-20887 could allow a threat actor with network access to VMware Aria Operations for Networks to perform a command injection attack resulting in RCE. This would almost certainly result in the compromise of the integrity of data.

Vulnerability Detection

VMware Aria has patched the vulnerability for the respective product versions. As such, previous versions are vulnerable to potential exploitation.

Affected Products

VMware Aria Operations for Networks versions 6.2 through 6.10.

Containment, Mitigations & Remediations

It is strongly recommended that users apply the patch released by VMware as soon as possible. This can be found at the associated VMware advisory.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactic:

TA0002 – Execution

Further Information

VMware Advisory