Cybercriminals are exploiting a critical-severity, command injection vulnerability in VMware’s network monitoring tool two weeks after the company deployed a patch.
The flaw (tracked as CVE-2023-20887) exists in several versions of VMware’s Aria Operations for Networks solution, formerly known as vRealize Network Insight, which helps businesses monitor and analyze their networks and applications. VMware issued a fix for the vulnerability (along with two other flaws tracked as CVE-2023-20888 and CVE-2023-20889) on June 7. However, on Tuesday the company confirmed that exploitation of the flaw is occurring in the wild for organizations that have not applied the patches.
“As of now, GreyNoise has detected two unique IP addresses engaged in widespread exploitation attempts of the CVE-2023-20887 vulnerability,” said Matthew Remacle, senior researcher with GreyNoise Intelligence. “The actions performed by these malicious actors using the exploit include deploying reverse shells to gain arbitrary control over the vulnerable server, as well as executing reconnaissance commands to determine the success of their exploit attempts.”
The vulnerability could allow a threat actor that has existing network access to VMware’s Aria Operations for Networks to perform a command injection attack, which could enable remote code execution.
“The vulnerability arises from a gap in a routing rule within the application suite,” said Remacle. “This gap allows a malicious actor to exploit the Apache Thrift RPC interface by sending a specially crafted HTTP request. Successful exploitation of this vulnerability can result in remote code execution with the privileges of the ‘root’ user.”
Sina Kheirkhah, security researcher with Summoning Team, was credited with reporting the flaw. Kheirkhah has also published proof-of-concept exploit code for the bug.
Versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9 and 6.10 of Aria Operations for Networks are impacted by the flaws, and organizations are urged to apply updates immediately. Additionally, Remacle said administrators should review server logs for HTTP requests targeting the path /saas./resttosaasservlet, as these requests may indicate exploitation activity.
Threat actors have previously targeted flaws in the VMware platform. Last week, Mandiant researchers revealed that a known Chinese cyberespionage group has been exploiting a new zero day on VMware ESXi hosts to gain unauthenticated remote code execution. And in February, the French CERT warned of a wave of exploit attempts targeting an old vulnerability in VMware ESXi with the goal of installing the ESXiArgs ransomware on compromised instances, for instance.