Skip to content

VMware warns of critical vRealize flaw exploited in attacks

VMware has released an updated security advisory warning customers of a critical vulnerability that allows for remote code execution and is being actively exploited in attacks. This vulnerability, referred to as CVE-2023-20887, was patched on June 15th and since then has been subject to active exploitation by malicious actors.

Security researchers from GreyNoise were the first to issue a warning about the vulnerability one week after its patch, and two days later technical details were shared by researcher Sina Kheirkhah along with proof-of-concept exploit code. The potential severity of this vulnerability has been widely recognised as critical due to its ability to be used in remote code execution attacks, allowing attackers to gain control over vulnerable systems without requiring user authentication or interaction.

The announcement from VMware stresses the importance of updating vulnerable systems as soon as possible in order to protect against these active attacks, and recommends running updates directly from within their vSphere platform. As always, users should remain vigilant against potential threats and take extra precautions when dealing with unknown applications or files.

GreyNoise, an intelligence analysis company, has identified a malicious activity involving the exploitation of a security vulnerability in VMware products. This vulnerability, known as CVE-2023-20887, is being used by attackers to launch reverse shells that connect back to attacker-controlled servers. Jacob Fisher, a research analyst at GreyNoise, reported observing attempted mass-scanning activities using associated proof-of-concept code. Andrew Morris, CEO of GreyNoise, alerted VMware admins to this ongoing malicious activity earlier today and VMware promptly issued an advisory in response.

In order to help organisations keep tabs on associated IP addresses associated with these exploits, GreyNoise has set up a dedicated tag for tracking them. This will allow organizations to more easily identify which IPs may be involved in malicious activity related to CVE-2023-20887.


A critical security flaw has been discovered in VMware Aria Operations for Networks (formerly vRealize Network Insight), a network analytics tool used to optimize network performance and manage deployments of VMware and Kubernetes. The vulnerability can be exploited by unauthenticated threat actors, allowing them to execute malicious code on the affected systems with low-complexity attacks that don't require user interaction.

The vulnerability resides within the Apache Thrift RPC interface, which accepts user input. According to researcher Milad Kheirkhah's root cause analysis of the security bug, this interface is prone to command injection attacks due to improper validation of user input. If successful, these attacks could allow attackers to access sensitive information or take control of vulnerable systems.

Given the high-risk nature of this vulnerability, it is important that all users of Aria Operations for Networks (vRealize Network Insight) immediately apply necessary patches and update their systems with the latest version. Organisations should also monitor network traffic for any suspicious behavior that may indicate an active attack.

CVE-2023-20887 is a severe vulnerability that affects VMware Aria Operations Networks 6.x on-prem installations. This critical vulnerability allows an unauthenticated remote attacker to gain access to the underlying system and execute arbitrary commands as root, without requiring any authentication or authorisation. Due to this vulnerability, anyone can run malicious code on the affected systems, posing a serious risk to the security and integrity of the system. Moreover, this vulnerability has been actively exploited in the wild so it is important to take preventive measures against it immediately.