GreyNoise Launches Block: Fully configurable, real-time blocklists
CVE-2023-20887 is a critical remote code execution vulnerability discovered in VMware Aria Operations for Networks (formerly known as vRealize Network Insight) versions 6.2 through 6.10. Aria Operations is a network monitoring and management tool. With a CVSS score of 9.8, this vulnerability allows an unauthenticated remote attacker to execute arbitrary commands as root on servers running vulnerable versions of Aria Operations.
Researchers from Juniper Networks discovered CVE-2023-20887. Their analysis found that improper input validation in a Java server component allowed command injection and that this could enable a remote attacker to achieve unauthorized remote code execution.
Within a week of disclosure on June 7, 2023, researchers at GreyNoise observed attempted mass-scanning activity from internet sources utilizing proof-of-concept exploit code that continues today. Since CVE-2023-20887 grants remote code execution, successfully exploited servers could allow threat actors to move laterally and compromise other systems.
Ongoing scanning activity indicates that attackers continue to find and compromise any unpatched instances accessible online.
While VMware has released patches, organizations that still need to update remain at risk. They should confirm external firewall rules are not unnecessarily exposing applications, look for signs of compromise across their environment, and apply updates if they find a vulnerable Aria Operations instance.
