Akamai reports nearly 700,000 attacks with 27,000 of its customers being scanned for the vulnerability. Credit: Shutterstock/Jaiz Anuar Researchers warn that a vulnerability patched this month in VMware Aria Operations for Networks, formerly known as vRealize Network Insight, is now seeing exploitation en masse. The flaw allows for remote code execution through command injection and is rated with critical severity. “New data from Akamai shows the scale of active scanning for sites vulnerable to CVE-2023-20887 is much greater than originally reported,” researchers from Akamai told CSO via email. “There have been 695,072 total attacks thus far by 508 unique IP addresses. Akamai has also observed more than 27,000 of its customers' sites being scanned.” Not the only VMware Aria Operations flaw VMware released patches for the CVE-2023-20887 vulnerability on June 7, along with fixes for two other flaws in Aria Operations for Networks, one of which is also critical and can lead to remote code execution. While CVE-2023-20887 is a command injection flaw, the second vulnerability, tracked as CVE-2023-20888, is a deserialization issue. In programming languages, serialization is the process of transforming data into a byte stream for transmission to another application and deserialization is the reverse of that process. Because deserialization routines involve the parsing and interpretation of user-controlled data, they have been the source of many vulnerabilities. Attackers can exploit both CVE-2023-20887 and CVE-2023-20888 if they have network access to the vulnerable application, but the latter also requires the attacker to have "member" role credentials to perform the attack, which makes it less practical to expose. The third vulnerability, CVE-2023-20889, is a command injection vulnerability that can lead to sensitive information disclosure and is rated 8.8 (High) on the CVSS severity scale. VMware advises customers to deploy the patches available for their respective version as soon as possible. The company has updated its advisory on June 13 to warn that exploit code for CVE-2023-20887 was released and again on June 20 to warn that active exploitation has occurred in the wild. According to Akamai and telemetry from attack monitoring service GreyNoise, since then the number of attacks have increased. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-20887 to its catalog of Actively Exploited Vulnerabilities along with the iOS vulnerabilities exploited in Operation Triangulation and a command injection flaw in network-attached storage devices from Zyxel. An authentication bypass flaw in VMware Tools (CVE-2023-20867) was also added to the catalog after being exploited as a zero-day by a Chinese cyberespionage actor to execute commands inside guest virtual machines from a compromised host. VMware patches multiple vCenter flaws Last week, VMware also released fixes for five vulnerabilities in its vCenter Server product that allows administrators to manage virtual infrastructure: CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895, and CVE-2023-20896. The first four flaws can lead to arbitrary code execution, memory corruption and authentication bypass and are rated with 8.1 (High) severity on the CVSS scale. Exploitation of the last flaw can result in a denial-of-service condition and is rated with a 5.9 severity score. Even though there are no reports that these vulnerabilities have been exploited in the wild yet, attackers have been targeting flaws in VMware products. VMware users should deploy the available patches as soon as possible. Related content brandpost Shifting security left: DevSecOps meets virtualization By Anthony Ricco, CMO of Corellium. 01 Jul 2023 4 mins Security news analysis Attackers add hacked servers to commercial proxy networks for profit Proxyjacking allows attackers to sell unknowing victims' unused network bandwidth. By Lucian Constantin 30 Jun 2023 4 mins Cybercrime news Command-and-control framework PhonyC2 attributed to Iran’s Muddywater group PhonyC2 was used to exploit the log4j vulnerability in the Israeli software SysAid, the attack against Israel’s Technion institute, and the ongoing attack against the PaperCut print management software. By Apurva Venkat 30 Jun 2023 4 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news First state-sponsored cyberattack against UK government revealed two decades later Rare insight marks the 20th anniversary of a state-backed malware attack on a UK government department. By Michael Hill 30 Jun 2023 3 mins Cyberattacks Government Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe