CVE-2023-20887

What is VMware Aria Operations for Networks?

VMware Aria Operations for Networks (formerly vRealize Network Insight, or vRNI) is a network analytics and visibility platform for VMware vSphere and NSX environments. It provides traffic flow analysis, network topology mapping, security audit capabilities, and troubleshooting tools for virtual datacenter networks. Aria Operations for Networks has broad network visibility — it receives flow data from NSX, vCenter, and physical switches, and often stores network configuration details, topology data, and security policy information. Compromise of the platform provides visibility into network architecture and potentially stored credentials for integrated systems.

Overview

CVE-2023-20887 is a critical command injection vulnerability in VMware Aria Operations for Networks that allows an unauthenticated attacker with network access to the appliance to execute arbitrary OS commands. VMware patched it in VMSA-2023-0012 alongside two related vulnerabilities (CVE-2023-20888 and CVE-2023-20889). Following public PoC publication on June 13, CISA confirmed active exploitation within days and added CVE-2023-20887 to KEV on June 22.

Affected Versions

Technical Details

CWE-77 (Command Injection). VMware Aria Operations for Networks uses Apache Thrift for internal RPC communication between platform components. The Thrift RPC service is accessible on the network and lacks sufficient authentication for certain endpoints. An unauthenticated attacker can send specially crafted Thrift RPC requests containing injected OS commands that are executed on the underlying appliance OS without proper sanitization.

The attack does not require any credentials — only network access to the Aria Operations for Networks appliance management IP. Successful exploitation achieves OS command execution as a privileged user on the appliance, enabling installation of backdoors, credential harvesting from the platform's configuration database, and access to all network flow and topology data collected by the platform.

VMSA-2023-0012 also addressed CVE-2023-20888 (authenticated deserialization RCE) and CVE-2023-20889 (command injection requiring authentication), but CVE-2023-20887 is the most critical due to its unauthenticated attack vector.

Discovery

Discovered and reported to VMware by security researchers. Active exploitation was confirmed following public PoC publication on June 13, 2023 — within six days of the patch. The rapid PoC-to-exploitation timeline reflects the attractiveness of VMware infrastructure products as targets and the availability of public exploitation code.

Exploitation Context

VMware management platform vulnerabilities are consistently exploited by threat actors targeting enterprise virtualization infrastructure. Aria Operations for Networks sits at a privileged position in VMware environments — it has visibility into all network flows and topology, and its compromise provides reconnaissance data useful for planning further attacks against the virtualized datacenter. Nation-state actors targeting critical infrastructure and ransomware operators targeting enterprise environments both exploit VMware management plane vulnerabilities as part of comprehensive infrastructure compromise campaigns.

Remediation

1. Apply patches per VMware Security Advisory VMSA-2023-0012 immediately.
2. Restrict network access to Aria Operations for Networks management interfaces to trusted management networks — the Thrift RPC service should not be internet-accessible.
3. Also apply patches for CVE-2023-20888 (deserialization) and CVE-2023-20889 (authenticated command injection) covered in the same advisory.
4. Review Aria Operations for Networks platform logs for unusual API or RPC activity around and after the June 2023 disclosure period.
5. After patching, verify integrity of the appliance configuration and check for unexpected accounts, cron jobs, or persistent scripts that may indicate prior compromise.