CVE-2023-20887
Published: 07 June 2023
Summary
CVE-2023-20887 is a critical-severity Command Injection (CWE-77) vulnerability in Vmware Aria Operations For Networks. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
VMware Aria Operations for Networks is affected by a command injection vulnerability tracked as CVE-2023-20887. The flaw, assigned CWE-77, permits unauthenticated attackers to inject and execute operating system commands, leading to full remote code execution on the target appliance. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
An attacker with network reachability to an exposed Aria Operations for Networks instance can supply crafted input that bypasses input sanitization and executes arbitrary commands under the privileges of the service account. Successful exploitation grants complete control of the affected system, including the ability to read, modify, or delete data and to pivot within the management network.
VMware’s advisory VMSA-2023-0012 details the affected versions and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The EPSS score reached a peak of 0.9721 and remains at 0.9426, indicating sustained and widespread exploitation interest following disclosure. Public exploit code has also appeared on Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25058
Vulnerability details
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
- CWE(s)
- KEV Date Added
- 22 June 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of network-supplied inputs to block operating-system command injection that leads to RCE.
Requires prompt application of vendor patches that directly eliminate the command-injection flaw in Aria Operations for Networks.
Restricts network reachability to the vulnerable management interfaces, reducing the attack surface for unauthenticated RCE.