VMware today notified customers that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs scanning tool, which helps administrators manage terabytes of application and data logs. infrastructure in large-scale environments.

The failure (CVE-2023-20864) is a deserialization weakness patched in apriland it allows unauthenticated attackers to achieve remote execution on unpatched appliances.

Successful exploitation allows threat actors to execute arbitrary code as root in low complexity attacks that do not require user interaction.

“VMware has confirmed that exploit code for CVE-2023-20864 has been released,” the company said. noted in an update to the initial Field Safety Notice.

“CVE-2023-20864 is a critical issue and should be fixed immediately as instructed in the advisory.”

In April, VMware also released security updates to address a less severe command injection vulnerability (CVE-2023-20865) that would allow remote attackers with administrative privileges to execute arbitrary commands as root on vulnerable appliances.

Both flaws were fixed with the release of VMware Aria Operations for Logs 8.12. Fortunately, there is currently no evidence to suggest exploitation in attacks.

VMware Aria Operations flaws attacked

Recently, VMware issued another alert about a critical bug now fixed (CVE-2023-20887) in VMware Aria Operations for Networks (formerly vRealize Network Insight), allowing remote command execution as the root user and being actively exploited in attacks.

CISA too added the default to its list of known exploited vulnerabilities and ordered US federal agencies to apply security updates by July 13.

In light of this, administrators are strongly advised to quickly apply CVE-2023-20864 patches as a precaution against potentially incoming attacks.

Although the number of VMware vRealize instances exposed online is relatively low, it matches the intended design of these appliances, which primarily focus on internal network access within organizations.

Nevertheless, it is important to note that attackers often take advantage of vulnerabilities present in devices within compromised networks.

Therefore, even properly configured VMware appliances that remain vulnerable can become tempting targets within the internal infrastructure of targeted organizations.