Akamai reports nearly 700,000 attacks with 27,000 of its customers being scanned for the vulnerability. Credit: Shutterstock/Jaiz Anuar Researchers warn that a vulnerability patched this month in VMware Aria Operations for Networks, formerly known as vRealize Network Insight, is now seeing exploitation en masse. The flaw allows for remote code execution through command injection and is rated with critical severity. “New data from Akamai shows the scale of active scanning for sites vulnerable to CVE-2023-20887 is much greater than originally reported,” researchers from Akamai told CSO via email. “There have been 695,072 total attacks thus far by 508 unique IP addresses. Akamai has also observed more than 27,000 of its customers' sites being scanned.” Not the only VMware Aria Operations flaw VMware released patches for the CVE-2023-20887 vulnerability on June 7, along with fixes for two other flaws in Aria Operations for Networks, one of which is also critical and can lead to remote code execution. While CVE-2023-20887 is a command injection flaw, the second vulnerability, tracked as CVE-2023-20888, is a deserialization issue. In programming languages, serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. Because deserialization routines involve the parsing and interpretation of user-controlled data, they have been the source of many vulnerabilities. Attackers can exploit both CVE-2023-20887 and CVE-2023-20888 if they have network access to the vulnerable application, but the latter also requires the attacker to have "member" role credentials to perform the attack, which makes it less practical to expose. The third vulnerability, CVE-2023-20889, is a command injection vulnerability that can lead to sensitive information disclosure and is rated 8.8 (High) on the CVSS severity scale. VMware advises customers to deploy the patches available for their respective version as soon as possible. The company has updated its advisory on June 13 to warn that exploit code for CVE-2023-20887 was released and again on June 20 to warn that active exploitation has occurred in the wild. According to Akamai and telemetry from attack monitoring service GreyNoise, since then the number of attacks have increased. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20887 to its catalog of Actively Exploited Vulnerabilities along with the iOS vulnerabilities exploited in Operation Triangulation and a command injection flaw in network-attached storage devices from Zyxel. An authentication bypass flaw in VMware Tools (CVE-2023-20867) was also added to the catalog after being exploited as a zero-day by a Chinese cyberespionage actor to execute commands inside guest virtual machines from a compromised host. VMware patches multiple vCenter flaws Last week, VMware also released fixes for five vulnerabilities in its vCenter Server product that allows administrators to manage virtual infrastructure: CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, and CVE-2023-20896. The first four flaws can lead to arbitrary code execution, memory corruption and authentication bypass and are rated with 8.1 (High) severity on the CVSS scale. Exploitation of the last flaw can result in a denial-of-service condition and is rated with a 5.9 severity score. Even though there are no reports that these vulnerabilities have been exploited in the wild yet, attackers have been targeting flaws in VMware products. VMware users should deploy the available patches as soon as possible. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe