cbcvebase.
CVE-2023-20887
published 2023-06-07

CVE-2023-20887: Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
98.24%
99.9th percentile
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
vmwarearia_operations_for_networks6.2.0 – 6.10.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /saas./resttosaasservlet HTTP/1.1
path/saas./resttosaasservlet
otherContent-Type: application/x-thrift
command[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`{{cmd}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]
  • The exploit targets the Apache Thrift RPC interface via the path /saas./resttosaasservlet — the leading dot in 'saas.' is the nginx reverse proxy bypass technique. Monitor for POST requests to this path with Content-Type: application/x-thrift.
  • The Thrift RPC method abused is 'createSupportBundle'. Look for this method name in POST body payloads to /saas./resttosaasservlet.
  • Successful exploitation returns a 200 response with body containing '{"rec":' and header 'application/x-thrift'. Absence of 'Provided invalid node Id' or 'Invalid nodeId' in the body indicates successful bypass.
  • Use Shodan/FOFA queries to identify exposed instances: search for title 'VMware vRealize Network Insight' or 'vmware aria operations' to find internet-facing targets.
  • GreyNoise observed attempted mass-scanning activity from internet sources utilizing proof-of-concept exploit code. Monitor for scanning/exploitation attempts originating from mass-internet-scanner IPs targeting Aria Operations for Networks instances.
  • ·The nginx reverse proxy bypass requires a specially crafted request path ('/saas./resttosaasservlet' with a dot after 'saas'). The vulnerability is only reachable by chaining the nginx bypass with the command injection — neither issue alone is sufficient for exploitation.
  • ·The Metasploit module uploads and executes payloads to gain root privileges. The module was successfully tested against version 6.8.0 specifically.
  • ·Affected versions are 6.2 through 6.10. Fixed build IDs are version-specific (e.g., 6.2.0→1684162127, 6.10.0→1685358321). Verify the exact build ID, not just the version number, when confirming patch status.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.