VMware updated a security advisory released two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks.

“VMware has confirmed that a CVE-2023-20887 exploit has occurred in the wild,” the company said. said Today.

This advisory follows several warnings from cybersecurity firm GreyNoise, the first published one week after VMware fixed the security flaw on June 15 and only two days after security researcher Sina Kheirkhah share technical details and proof-of-concept exploit code.

“We have observed mass analysis attempts using the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell that connects to an attacker-controlled server in order to receive further commands,” said Jacob Fisher, research analyst at GreyNoise. said.

GreyNoise CEO Andrew Morris also alert VMware administrators of this ongoing malicious activity earlier today, which likely prompted VMware to update its advisory.

GreyNoise now provides a dedicated beacon to help keep track of IP addresses observed while attempting to exploit CVE-2023-20887.

The vulnerability affects VMware Aria Operations for Networks (formerly vRealize Network Insight), a network analysis tool that helps administrators optimize network performance or manage VMware and Kubernetes deployments.

Unauthenticated hackers can exploit this command injection flaw in low-complexity attacks that do not require user interaction.

“VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface,” Kheirkhah explained in a bug root cause analysis of security.

“This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user.”

No workaround is available to remove the attack vector for CVE-2023-20887, so administrators should patch all on-premises installations of VMware Aria Operations Networks 6.x to ensure they are protected against ongoing attacks.

A complete list of security patches for all vulnerable versions of Aria Operations for Networks is available at VMware Customer Connect website.