VMware has announced that it has learned of exploitation of a security vulnerability first disclosed by the company on June 7.
The company’s advisory covered three vulnerabilities – CVE-2023-20887, CVE-2023-20888 and CVE-2023-20889.
On June 20, VMware added to the advisory that it "has confirmed that exploitation of CVE-2023-20887 has occurred in the wild.”
The exploit is described in this blog post by Summoning Team.
CVE-2023-20887, the post explains, is in VMware Aria Operations for Networks (formerly known as vRealize Network Insight), and “comprises a chain of two issues leading to remote code execution (RCE) that can be exploited by unauthenticated attackers.”
In a proof-of-concept posted to GitHub, Sinsinology said: “VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface."
"This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user.
“The RPC interface is protected by a reverse proxy which can be bypassed,” the post continued, saying that a successful attacker gets root access on the affected system.
VMware has patched the product against the vulnerability.
