Home / Threat Intelligence bulletins / VMware patches critical vRealize vulnerability

Target Industry 

Indiscriminate, opportunistic targeting. 


VMware has disclosed a critical deserialisation vulnerability, tracked as CVE-2023-20864 (CVSS score: 9.8), which impacts multiple versions of Aria Operations for Logs, a log analysis tool responsible for managing substantial quantities of application and infrastructure logs. 


Successful exploitation of CVE-2023-20864 could grant an unauthenticated threat actor with network access to VMware Aria Operations for Logs that could lead to execute arbitrary code execution. 

 Further, the exploitation could be exploited remotely by unauthenticated threat actors in low-complexity attacks that don’t require user interaction. 

 Vulnerability Detection 

VMware has released a patch for the vulnerability. As such, previous versions are vulnerable to potential exploit.  

Affected Products 

VMware Aria Operations for Logs (formerly vRealize Log Insight) 

 It should be noted that only version 8.10.2 is impacted by the vulnerability. 

 Containment, Mitigations & Remediations 

It is strongly recommended that users apply the VMware Aria Operations for Logs 8.12 update, which can be found listed in the “Fixed Version” column of the “Response Matrix” table within the VMware advisory. 

Indicators of Compromise 

No specific Indicators of Compromise (IoCs) are available at this time. 

Threat Landscape 

VMware occupies a significant proportion of the virtualisation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, VMware products have become a prime target for threat actors. Due to the fact that virtual machines have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within the associated devices in an attempt to extract the sensitive information contained therein. 

The security flaw has emerged just three months after VMware addressed two critical vulnerabilities in the same product (tracked as CVE-2022-31704 and CVE-2022-31706), exploitation of which could also result in remote code execution. 

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing. 

Mitre Methodologies 


TA0002 – Execution 

Further Information 

VMware Advisory