CVE-2023-34051
published 2023-10-20CVE-2023-34051: VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
44.67%
98.6th percentile
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
| vmware | aria_operations_for_logs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation abuses IP address spoofing and Thrift RPC endpoints to achieve arbitrary file write on VMware Aria Operations for Logs ↗
- →Default exploit payload writes a cron job to establish a reverse shell; monitor for unexpected cron job creation on VMware Aria Operations for Logs appliances ↗
- →Attacker must spoof the IP address of a master or worker node to exploit the vulnerability; monitor for unexpected traffic from internal node IPs toward the appliance ↗
- →Exploitation requires attacker to have compromised a host within the targeted environment and have permissions to add an extra interface or static IP address; look for unauthorized interface/IP additions on internal hosts ↗
- →CVE-2023-34051 is a bypass for the previously chained VMSA-2023-0001 exploit (CVE-2022-31706 directory traversal + CVE-2022-31704 broken access control); monitor for file injection into the OS of VMware Aria Operations for Logs appliances ↗
- →Public PoC exploit and IOC list released by Horizon3 Attack Team; defenders should consult Horizon3's published indicators of compromise for detection of exploitation attempts ↗
- ·CVE-2023-34051 affects VMware Aria Operations for Logs (formerly vRealize Log Insight) and VMware Cloud Foundation; patch per VMSA-2023-0021 ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ghvx-5v39-7hv5: VMware Aria Operations for Logs contains an authentication bypass vulnerability
ghsa_unreviewed·2023-10-20
CVE-2023-34051 [CRITICAL] CWE-863 GHSA-ghvx-5v39-7hv5: VMware Aria Operations for Logs contains an authentication bypass vulnerability
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
VMware
VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
vendor_vmware·2023-10-19·CVSS 9.8
CVE-2023-34051 [CRITICAL] VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
VMSA-2023-0021: VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
VMware Aria Operations for Logs contains an authentication bypass vulnerability VMware has evaluated the severity of this issue to be in the Important Severity Range with a maximum CVSSv3 base score of 8.1.
CVEs: CVE-2023-34051, CVE-2023-34052
Affected products: VMware Aria, VMware Cloud Foundation
No detection rules found.
No public exploits indexed.
Bleepingcomputer
VMware warns admins of public exploit for vRealize RCE flaw
blogs_bleepingcomputer·2023-10-24·CVSS 9.8
CVE-2023-34051 [CRITICAL] VMware warns admins of public exploit for vRealize RCE flaw
## VMware warns admins of public exploit for vRealize RCE flaw
## Sergiu Gatlan
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
"Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory.
Tracked as CVE-2023-34051 , it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.
Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security research
Checkpoint
23rd October – Threat Intelligence Report
blogs_checkpoint·2023-10-23
CVE-2023-22515 23rd October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd October, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Attackers have gained access to parts of the network of the cloud identity authentication giant Okta. The hackers managed to gain access to the firm’s support unit for at least two weeks and have attempted to use tokens copied from support tickets to access the firm’s customers’ networks. Reportedly, the firm only became
2023-10-20
Published