CISA
Image: Martin Matishak / The Record

CISA says latest VMware analytics bug being exploited

A new vulnerability affecting a popular VMware network analytics product is being exploited by hackers, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

CISA added CVE-2023-20887 to its catalog of known exploited vulnerabilities on Thursday, days after several researchers raised concerns about the issue and VMware confirmed that it is seeing exploitation in the wild.

The vulnerability affects VMware Aria Operations for Networks, a product used by network administrators to manage deployments of VMware and Kubernetes.

“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution,” VMware said in its advisory.

It has a 9.8 out of 10 CVSS score, indicating a critical severity, and was reported by someone working with Trend Micro Zero Day Initiative.

VMware confirmed on June 13 that exploit code was published after a researcher known as SinSinology shared it on their GitHub page.

CISA and VMware urged customers to update their systems to the latest version.

Jacob Fisher, a researcher with security firm GreyNoise, said last week that they “have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code.” GreyNoise CEO Andrew Morris shared charts showing exploitation of the vulnerability.

CISA added five other vulnerabilities to its catalog, including three affecting the Roundcube Webmail service that were exploited by Russian hackers targeting Ukrainian government officials.

Ukraine’s computer emergency response team (CERT-UA) and researchers from Recorded Future’s Insikt Group attributed the campaign to APT28 — also known as Fancy Bear and BlueDelta — which multiple Western governments believe is run within the the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

The campaign targeted the email inboxes of a regional prosecutor's office, an undisclosed Ukrainian executive authority, other government entities and an organization involved in military aircraft infrastructure upgrade and refurbishment.

Alongside the Roundcube bugs are two vulnerabilities from 2016 – Mozilla Firefox bug CVE-2016-9079 and Microsoft Win32k issue CVE-2016-0165.

All of the vulnerabilities have to be patched by July 13, CISA said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.