Security News

VMware has patched an information disclosure vulnerability in VMware Tanzu Application Service for VMs and Isolation Segment caused by credentials being logged and exposed via system audit logs. Tracked as CVE-2023-20891, the security flaw addressed today by Vmware would allow remote attackers with low privileges to access Cloud Foundry API admin credentials on unpatched systems in low-complexity attacks that don't require user interaction.

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. Recently, VMware issued another alert about a now-patched critical bug in VMware Aria Operations for Networks, allowing remote command execution as the root user and being actively exploited in attacks.

The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide. BleepingComputer's analysis of the Linux encryptor shows it has a project name of 'Esxi Build Esxi6,' indicating the threat actors designed it specifically to target VMware ESXi servers.

VMware has addressed multiple high-severity security flaws in vCenter Server, which can let attackers gain code execution and bypass authentication on unpatched systems. vCenter Server is the control center for VMware's vSphere suite and a server management solution that helps admins manage and monitor virtualized infrastructure.

CVE-2023-20887, a pre-authentication command injection vulnerability in VMware Aria Operations for Networks, has been spotted being exploited in the wild. CVE-2023-20887 is one of three vulnerabilities recently discovered by Sina Kheirkhah of Summoning Team and an anonymous researcher and privately reported to VMware.

VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution.

VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks. This notice follows multiple warnings from cybersecurity firm GreyNoise, the first issued one week after VMware patched the security flaw on June 15 and just two days after security researcher Sina Kheirkhah shared technical details and proof-of-concept exploit code.

VMware has fixed two critical and one important vulnerability in Aria Operations for Networks, its popular enterprise network monitoring tool. CVE-2023-20887 is a pre-authentication command injection vulnerability that may allow a malicious actor with network access to VMware Aria Operations for Networks to perform a command injection attack and execute code remotely.

The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867, "Enabled the execution of privileged commands across Windows, Linux, and PhotonOS guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said.

Microsoft has released security updates for 78 flaws for June's Patch Tuesday, and luckily for admins, none of these are under exploit. CVE-2023-29357, a Microsoft SharePoint Server Elevation of Privilege Vulnerability, is one that Redmond lists as "Exploitation more likely." This may be because it, when chained with other bugs, was used to bypass authentication during March's Pwn2Own contest.