Akamai reports nearly 700,000 attacks with 27,000 of its customers being scanned for the vulnerability. Credit: Shutterstock/Jaiz Anuar Researchers warn that a vulnerability patched this month in VMware Aria Operations for Networks, formerly known as vRealize Network Insight, is now seeing exploitation en masse. The flaw allows for remote code execution through command injection and is rated with critical severity. “New data from Akamai shows the scale of active scanning for sites vulnerable to CVE-2023-20887 is much greater than originally reported,” researchers from Akamai told CSO via email. “There have been 695,072 total attacks thus far by 508 unique IP addresses. Akamai has also observed more than 27,000 of its customers' sites being scanned.” Not the only VMware Aria Operations flaw VMware released patches for the CVE-2023-20887 vulnerability on June 7, along with fixes for two other flaws in Aria Operations for Networks, one of which is also critical and can lead to remote code execution. While CVE-2023-20887 is a command injection flaw, the second vulnerability, tracked as CVE-2023-20888, is a deserialization issue. In programming languages, serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. Because deserialization routines involve the parsing and interpretation of user-controlled data, they have been the source of many vulnerabilities. Attackers can exploit both CVE-2023-20887 and CVE-2023-20888 if they have network access to the vulnerable application, but the latter also requires the attacker to have "member" role credentials to perform the attack, which makes it less practical to expose. The third vulnerability, CVE-2023-20889, is a command injection vulnerability that can lead to sensitive information disclosure and is rated 8.8 (High) on the CVSS severity scale. VMware advises customers to deploy the patches available for their respective version as soon as possible. The company has updated its advisory on June 13 to warn that exploit code for CVE-2023-20887 was released and again on June 20 to warn that active exploitation has occurred in the wild. According to Akamai and telemetry from attack monitoring service GreyNoise, since then the number of attacks have increased. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20887 to its catalog of Actively Exploited Vulnerabilities along with the iOS vulnerabilities exploited in Operation Triangulation and a command injection flaw in network-attached storage devices from Zyxel. An authentication bypass flaw in VMware Tools (CVE-2023-20867) was also added to the catalog after being exploited as a zero-day by a Chinese cyberespionage actor to execute commands inside guest virtual machines from a compromised host. VMware patches multiple vCenter flaws Last week, VMware also released fixes for five vulnerabilities in its vCenter Server product that allows administrators to manage virtual infrastructure: CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, and CVE-2023-20896. The first four flaws can lead to arbitrary code execution, memory corruption and authentication bypass and are rated with 8.1 (High) severity on the CVSS scale. Exploitation of the last flaw can result in a denial-of-service condition and is rated with a 5.9 severity score. Even though there are no reports that these vulnerabilities have been exploited in the wild yet, attackers have been targeting flaws in VMware products. VMware users should deploy the available patches as soon as possible. Related content feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Certifications IT Training news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach opinion A year after ChatGPT’s debut, is GenAI a boon or the bane of the CISO’s existence? You can try to keep the flood of generative AI at bay but embracing it with proper vigilance is likely the best hope to maintain control and prevent the scourge of it becoming shadow AI. By Christopher Burgess Nov 27, 2023 6 mins Generative AI Generative AI Generative AI feature Rise of the cyber CPA: What it means for CISOs New accountant certification rules starting January 2024 could deliver many new cybersecurity-trained accountants. Is this good or bad news for CISOs? By Evan Schuman Nov 27, 2023 7 mins CSO and CISO Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe