Exploit Released for VMware Aria Operations for Networks RCE (CVE-2023-20887) Bug


A group of researchers has unveiled a proof-of-concept (PoC) demonstration for a serious Remote Code Execution (RCE) vulnerability present in VMware's Aria Operations for Networks. This software suite is commonly utilized by large-scale networks, making the potential impact of this vulnerability quite substantial.

The exploit, labeled CVE-2023-20887, represents a command injection vulnerability that boasts a 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), categorizing it as a critical risk. The alarming aspect of this bug is that it can be exploited by unauthorized individuals through low-complexity attacks without any need for user interaction, adding a considerable worry factor for system administrators and users.

At the heart of the issue is the system's susceptibility to command injection when receiving user input via the Apache Thrift RPC interface. This weakness allows remote, unauthorized attackers to execute random commands on the base operating system. What's the catch? Attackers gain access with root user privileges, essentially providing them unrestricted control. Even more concerning, the reverse proxy designed to safeguard the RPC interface can be easily bypassed, creating another potential security vulnerability.

In reaction to this vulnerability, VMware has rolled out several security patches for the vulnerable Aria Operations for Networks version 6.x. But the threat isn't completely eliminated yet. The cybersecurity research team known as the Summoning Team has publicized a PoC exploit for the CVE-2023-20887 vulnerability, highlighting the urgency of the situation.

For those interested in delving deeper into the technical specifics of this vulnerability, the Summoning Team has published a thorough report detailing the root cause analysis. Below, you'll find a demonstration of the PoC for CVE-2023-20887.

Proof of Concept

Exploit Code | Metasploit Module | PDnuclei template