CVE-2023-20887
published 2023-06-07CVE-2023-20887: Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
98.24%
99.9th percentile
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | aria_operations_for_networks | 6.2.0 – 6.10.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
command[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`{{cmd}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]↗
- →The exploit targets the Apache Thrift RPC interface via the path /saas./resttosaasservlet — the leading dot in 'saas.' is the nginx reverse proxy bypass technique. Monitor for POST requests to this path with Content-Type: application/x-thrift. ↗
- →The Thrift RPC method abused is 'createSupportBundle'. Look for this method name in POST body payloads to /saas./resttosaasservlet. ↗
- →Successful exploitation returns a 200 response with body containing '{"rec":' and header 'application/x-thrift'. Absence of 'Provided invalid node Id' or 'Invalid nodeId' in the body indicates successful bypass. ↗
- →Use Shodan/FOFA queries to identify exposed instances: search for title 'VMware vRealize Network Insight' or 'vmware aria operations' to find internet-facing targets. ↗
- →GreyNoise observed attempted mass-scanning activity from internet sources utilizing proof-of-concept exploit code. Monitor for scanning/exploitation attempts originating from mass-internet-scanner IPs targeting Aria Operations for Networks instances. ↗
- ·The nginx reverse proxy bypass requires a specially crafted request path ('/saas./resttosaasservlet' with a dot after 'saas'). The vulnerability is only reachable by chaining the nginx bypass with the command injection — neither issue alone is sufficient for exploitation. ↗
- ·The Metasploit module uploads and executes payloads to gain root privileges. The module was successfully tested against version 6.8.0 specifically. ↗
- ·Affected versions are 6.2 through 6.10. Fixed build IDs are version-specific (e.g., 6.2.0→1684162127, 6.10.0→1685358321). Verify the exact build ID, not just the version number, when confirming patch status. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Vmware Aria Operations for Networks Command Injection Vulnerability
cisa·2023-06-22·CVSS 9.8
CVE-2023-20887 [CRITICAL] CWE-77 Vmware Aria Operations for Networks Command Injection Vulnerability
Vulnerability: Vmware Aria Operations for Networks Command Injection Vulnerability
Affected: VMware Aria Operations for Networks
VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://www.vmware.com/security/advisories/VMSA-2023-0012.html; https://nvd.nist.gov/vuln/detail/CVE-2023-20887
Remediation Due Date: 2023-07-13
VMware
VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
vendor_vmware·2023-06-07·CVSS 9.8
CVE-2023-20887 [CRITICAL] VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
VMSA-2023-0012: VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889)
Aria Operations for Networks contains a command injection vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2023-20887, CVE-2023-20888, CVE-2023-20889
Affected products: VMware Aria
GHSA
GHSA-8vx8-r5j3-f2vf: Aria Operations for Networks contains a command injection vulnerability
ghsa_unreviewed·2023-06-07
CVE-2023-20887 [CRITICAL] CWE-77 GHSA-8vx8-r5j3-f2vf: Aria Operations for Networks contains a command injection vulnerability
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
VulnCheck
Vmware Aria Operations for Networks Command Injection Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-20887 [CRITICAL] CWE-77 Vmware Aria Operations for Networks Command Injection Vulnerability
Vmware Aria Operations for Networks Command Injection Vulnerability
VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that allows a malicious actor with network access to perform an attack resulting in remote code execution.
Affected: VMware Aria Operations for Networks
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.vmware.com/security/advisories/VMSA-2023-0012.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-20887; http
Suricata
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
suricata·2023-06-21·CVSS 9.8
CVE-2023-20887 [CRITICAL] ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoin
Nuclei
VMware VRealize Network Insight - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-20887 [CRITICAL] VMware VRealize Network Insight - Remote Code Execution
VMware VRealize Network Insight - Remote Code Execution
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are
vulnerable.
Template:
id: CVE-2023-20887
info:
name: VMware VRealize Network Insight - Remote Code Execution
author: si
Metasploit
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
metasploit
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of 'root' on the appliance. VMWare 6.x version are vulnerable. This module exploits the vulnerability to upload and execute payloads gaining roo
Qualys
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
blogs_qualys·2023-12-19
2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
## Table of Contents
2023 Statistics
2023 Vulnerability Threat Landscape
Top Vulnerability Types
Key Insights
Top MITRE ATT&CK Tactics & Techniques
Most Active Threats
Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
97 high-risk vulnerabilities, like
Qualys
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
blogs_qualys·2023-12-19
Top Cyber Threats of 2023: An In-Depth Review (Part One) | Qualys
#### Table of Contents
- 2023 Statistics
- 2023 Vulnerability Threat Landscape
- Top Vulnerability Types
- Key Insights
- Top MITRE ATT&CK Tactics & Techniques
- Most Active Threats
- Conclusion
As 2023 nears its end, it’s time to pause and reflect. It’s time to assess what worked and what didn’t, what caught our attention and caused disruption, and what went unnoticed. More importantly, we need to know what lessons we learned from 2023 so that we can do a better job of managing risk in the coming year. In line with this, the Qualys Threat Research Unit has prepared a comprehensive blog series to review the threat landscape in 2023.
Key Takeaways:
- Less than one percent of vulnerabilities contributed to the highest risk and were routinely exploited in the wild.
- 97 high-risk vulnerab
Bleepingcomputer
VMware warns admins of public exploit for vRealize RCE flaw
blogs_bleepingcomputer·2023-10-24·CVSS 9.8
CVE-2023-34051 [CRITICAL] VMware warns admins of public exploit for vRealize RCE flaw
## VMware warns admins of public exploit for vRealize RCE flaw
## Sergiu Gatlan
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
"Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory.
Tracked as CVE-2023-34051 , it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.
Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security research
Qualys
Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Top 10 Exploited Vulnerabilities in 2023: Insights from the Qualys Survey | Qualys
#### Table of Contents
- 7 Key Insights by the Qualys Threat Research Unit
- A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
- Optimizing Risk Management with Qualys VMDR TruRiskDashboard
- Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
- Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights
Qualys
Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
blogs_qualys·2023-09-26·CVSS 7.8
[HIGH] Qualys Survey of Top 10 Exploited Vulnerabilities in 2023
## Table of Contents
7 Key Insights by the Qualys Threat Research Unit
A Closer Look at the Top 10 Exploited Vulnerabilities of 2023
Optimizing Risk Management with Qualys VMDR TruRiskDashboard
Next Steps: Reduce Your Risk to the Top 10 Vulnerabilities with Qualys VMDR
Additional Contributors:
The Qualys Threat Research Unit (TRU) has thoroughly analyzed vulnerabilities reported in 2023. Our comprehensive study assesses factors including weaponization status, existence in the CISA KEV, instances or usage of malware and ransomware, trending vulnerabilities, various scoring metrics, and recency of threats. Insights for the Top 10 vulnerabilities during 2023 are also based on evidence of exploitation, patch adoption rates, and the longevity of vulnerabilities.
## 7 Key Insights by the
Tenable
CVE-2023-20887: VMware Aria Operations for Networks Command Injection
blogs_tenable·2023-06-14·CVSS 9.8
[CRITICAL] CVE-2023-20887: VMware Aria Operations for Networks Command Injection
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
The Eighth Day Of Tagsmas (2023): Remote Code Execution in VMWare Aria Operations for Networks (CVE-2023-20887)
blogs_greynoiseio·CVSS 9.8
[CRITICAL] The Eighth Day Of Tagsmas (2023): Remote Code Execution in VMWare Aria Operations for Networks (CVE-2023-20887)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Observed In The Wild: New Tag For CVE-2023-20887 — VMWare Aria Operations for Networks
blogs_greynoiseio·CVSS 9.8
[CRITICAL] Observed In The Wild: New Tag For CVE-2023-20887 — VMWare Aria Operations for Networks
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0012.htmlhttp://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0012.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20887
2023-06-07
Published
2023-06-22
Added to CISA KEV
Exploited in the wild