VMware refreshed a security warning distributed fourteen days prior to caution clients that a now-fixed basic weakness permitting remote code execution is effectively taken advantage of in assaults.
Today, the company stated, “VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.”
This notice comes after a series of warnings from the cybersecurity firm GreyNoise. The first warning came just two days after security researcher Sina Kheirkhah shared technical details and proof-of-concept exploit code and one week after VMware patched the security flaw on June 15.
Jacob Fisher, a research analyst at GreyNoise, stated, “We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands.”
Additionally, GreyNoise CEO Andrew Morris alerted VMware administrators earlier today to this ongoing malicious activity, likely prompting VMware to update its advisory.
GreyNoise presently gives a devoted tag to assist with monitoring IP addresses saw while endeavoring to take advantage of CVE-2023-20887.
VMware Aria Operations for Networks, formerly vRealize Network Insight, is a network analytics tool that enables administrators to manage VMware and Kubernetes deployments and optimize network performance.
In low-complexity attacks that do not require user interaction, unauthenticated threat actors can take advantage of this command injection flaw.
Kheirkhah explained in a security flaw’s root cause analysis that “VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface.”
“A remote unauthenticated attacker can use this vulnerability to run arbitrary commands on the underlying operating system as the root user.”
Administrators must patch all VMware Aria Operations Networks 6.x on-premise installations to protect them from ongoing attacks because there is no workaround to remove the attack vector for CVE-2023-20887.