cbcvebase.
CVE-2023-20888
published 2023-06-07

CVE-2023-20888: Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for…

PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
82.28%
99.6th percentile
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
vmwarevrealize_network_insight6.2.0 – 6.10.0

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/auth/login HTTP/1.1
path/api/events/push-notifications
path/saas./resttosaasservlet
otherContent-Type: application/x-thrift
commandcreateSupportBundle
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; bsize:20; content:"application/x-thrift"; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:2; metadata:affected_product VMware, attack_target Client_Endpoint, created_at 2023_06_21, cve CVE_2023_20887, deployment Perimeter, confidence High, signature_severity Major, tag CVE_2023_20887, tag CVE_2023_20888, tag CVE_2023_20889, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, reviewed_at 2024_10_15;)
bytes
|7b 22|str|22 3a 22 60|
  • Monitor for POST requests to /api/events/push-notifications with a Java deserialization gadget payload in the request body (endOffset field), following a successful login to /api/auth/login with 'member' role credentials.
  • Detect POST requests to /saas./resttosaasservlet with Content-Type: application/x-thrift and body containing 'createSupportBundle' and backtick-wrapped command injection sequences (byte pattern |7b 22|str|22 3a 22 60|).
  • Use Shodan/FOFA queries to identify exposed VMware Aria Operations / vRealize Network Insight instances as potential targets: title:"VMware Aria Operations" or http.title:"vmware vrealize network insight".
  • A successful exploit attempt against CVE-2023-20888 will return HTTP 500 from the /api/events/push-notifications endpoint while triggering an out-of-band DNS interaction (OAST), indicating deserialization execution.
  • Extract the CSRF token from the login response body (csrfToken field) and include it as X-Vrni-Csrf-Token header in subsequent exploit requests — its absence or null value in the login step is a distinguishing characteristic of the attack flow.
  • ·CVE-2023-20888 requires authenticated access with a valid 'member' role — exploitation is not unauthenticated, unlike the related CVE-2023-20887 command injection.
  • ·The Snort/ET rule (sid:2046500) is primarily written for CVE-2023-20887 (command injection via /saas./resttosaasservlet) but is tagged for CVE-2023-20888 and CVE-2023-20889 as well — analysts should not rely solely on this rule for CVE-2023-20888 deserialization detection.
  • ·At the time of the Tenable blog publication (June 14, 2023), no public PoC was available specifically for CVE-2023-20888; the available PoC covered CVE-2023-20887.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.