CVE-2023-20867

What is VMware Tools?

VMware Tools is a suite of utilities installed inside virtual machines (guests) to improve interaction between the guest OS and the VMware hypervisor (ESXi host). A key component is the VMware Guest Authentication (vgauth) module, which authenticates and authorizes host-to-guest operations — commands or file transfers initiated by the ESXi host and directed to a running guest VM. These operations include file uploads, command execution in the guest, and retrieval of guest process output — capabilities used by VMware management workflows, backup software, and orchestration tools. The vgauth module's authentication check ensures that only legitimate and authorized host-initiated operations reach the guest OS, providing a boundary between the hypervisor's administrative capabilities and the guest's security context.

Overview

CVE-2023-20867 is an authentication bypass vulnerability (CWE-287 — Improper Authentication) in VMware Tools' vgauth module that allows an attacker who has already compromised the ESXi host with root/administrator privileges to bypass the authentication check for host-to-guest operations, gaining the ability to interact with guest VMs without proper authorization. VMware patched it in Tools version 12.2.5 via advisory VMSA-2023-0013. CISA added it to the KEV catalog on June 23, 2023.

The 3.9 LOW CVSS score reflects the narrow precondition: exploitation requires the attacker to have already compromised the hypervisor at root level. However, in practice — as demonstrated by UNC3886 — a compromised hypervisor is a realistic stepping stone, and CVE-2023-20867 extends the blast radius from hypervisor root to all hosted guest VMs.

Affected Versions

Technical Details

The vgauth module authenticates host-initiated operations using a token exchange between the guest agent (running inside the VM) and the host-side VMCI (Virtual Machine Communication Interface) transport. The authentication bypass (CWE-287) occurs when a compromised ESXi host sends crafted authentication tokens that the vgauth module incorrectly accepts as valid, suppressing the authentication challenge that would normally prevent an unauthorized operation.

The practical exploitation chain:

1. Compromise ESXi — the attacker obtains root-level access to the ESXi hypervisor (via a separate vulnerability such as CVE-2023-34048 in vCenter, or direct ESXi exploitation)
2. Leverage CVE-2023-20867 — from the ESXi root context, issue host-to-guest operations through VMware Tools' VMCI transport with a bypassed authentication token
3. Interact with guest VMs — execute commands in the guest OS, read or write guest filesystem contents, or exfiltrate credentials from guest memory — without authenticating to the guest OS itself

The S:C (scope changed) reflects that exploitation crosses from the compromised hypervisor to affect previously separate guest VMs. The AC:H (high complexity) reflects the requirement for an already-compromised hypervisor as a precondition.

Discovery

CVE-2023-20867 was identified in the context of Mandiant's investigation of UNC3886, a Chinese cyber-espionage group targeting VMware ESXi infrastructure at defense contractors, government agencies, and technology companies. Mandiant researchers discovered the vulnerability while analyzing UNC3886's tooling and techniques for maintaining persistent access across VMware-based infrastructure.

Exploitation Context

UNC3886 — a Chinese state-sponsored APT with overlaps attributed to APT41 — specifically targeted VMware ESXi hypervisors as a means of establishing deep, persistent access across all hosted guest VMs simultaneously. Their methodology:

• Exploit vCenter vulnerabilities (including CVE-2023-34048, a vCenter DCERPC RCE) to gain initial foothold on vCenter and then ESXi
• Deploy VIRTUALPITA and VIRTUALPIE malware as vSphere Installation Bundles (VIBs) directly on ESXi hosts to establish persistence at the hypervisor layer
• Use CVE-2023-20867 to leverage that ESXi access into guest VM interaction — executing commands, harvesting credentials, and moving laterally through the virtualized environment

The targeting focus on VMware infrastructure reflects a strategic preference by sophisticated APTs: compromising the hypervisor yields access to all VMs in the environment simultaneously, bypasses guest-level endpoint detection, and survives guest OS reimaging.

CVE-2023-20867 is dangerous specifically because it extends the post-ESXi-compromise capability beyond the hypervisor: an attacker with ESXi root can silently interact with every hosted guest VM without those VMs' security controls detecting the intrusion.

Remediation

1. Upgrade VMware Tools to 12.2.5 — applies the vgauth authentication fix; deploy via VMware vCenter update orchestration to all guest VMs.
2. Treat ESXi compromise as a full environment incident — CVE-2023-20867's exploitation requires ESXi root access; if ESXi compromise is suspected, assume all hosted guest VMs are also compromised and initiate full incident response across the environment.
3. Harden ESXi management access — restrict ESXi and vCenter management interfaces to dedicated administrative networks; never expose the ESXi management interface or vSphere Web Client to the internet.
4. Monitor for unauthorized VIBs — regularly audit installed VIBs on ESXi hosts for unexpected entries; UNC3886 used malicious VIBs as their persistence mechanism alongside CVE-2023-20867 exploitation.
5. Enable VMware vSphere audit logging — enable and forward ESXi syslog and vCenter audit events to a SIEM; monitor for anomalous host-to-guest operations, unexpected VIB installation, and unauthorized vCenter API calls.
6. Segment hypervisor management networks — ensure ESXi VMCI/management traffic is not accessible from guest VM networks; lateral movement from a compromised guest to the hypervisor management plane should require additional network access not available to standard guest workloads.