Cyber Resilience

CVE-2023-20887

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 07 June 2023

Published
07 June 2023
Modified
28 October 2025
KEV Added
22 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9426 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20887 is a critical-severity Command Injection (CWE-77) vulnerability in Vmware Aria Operations For Networks. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

VMware Aria Operations for Networks is affected by a command injection vulnerability tracked as CVE-2023-20887. The flaw, assigned CWE-77, permits unauthenticated attackers to inject and execute operating system commands, leading to full remote code execution on the target appliance. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An attacker with network reachability to an exposed Aria Operations for Networks instance can supply crafted input that bypasses input sanitization and executes arbitrary commands under the privileges of the service account. Successful exploitation grants complete control of the affected system, including the ability to read, modify, or delete data and to pivot within the management network.

VMware’s advisory VMSA-2023-0012 details the affected versions and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The EPSS score reached a peak of 0.9721 and remains at 0.9426, indicating sustained and widespread exploitation interest following disclosure. Public exploit code has also appeared on Packet Storm.

EU & UK References

Vulnerability details

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

CWE(s)
KEV Date Added
22 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
aria operations for networks
6.2.0 — 6.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of network-supplied inputs to block operating-system command injection that leads to RCE.

prevent

Requires prompt application of vendor patches that directly eliminate the command-injection flaw in Aria Operations for Networks.

prevent

Restricts network reachability to the vulnerable management interfaces, reducing the attack surface for unauthenticated RCE.

References