Skip to content
Threat Feed
critical advisory

VMware Aria Operations CVE-2023-20887 Exploitation Attempt

Detection of potential exploitation attempts against VMware Aria Operations (formerly vRealize Network Insight) by monitoring for HTTP POST requests to the /saas./resttosaasservlet endpoint, indicative of CVE-2023-20887 exploitation leading to arbitrary code execution.

This threat brief focuses on potential exploitation attempts targeting CVE-2023-20887 in VMware Aria Operations (formerly vRealize Network Insight). This vulnerability allows for arbitrary code execution. The observed activity involves HTTP POST requests directed at the /saas./resttosaasservlet endpoint. Successful exploitation could lead to complete system compromise, data theft, and further lateral movement within the network. This activity began gaining significant traction in early 2023, with proof-of-concept exploits becoming publicly available. Defenders should prioritize patching and monitoring for related network traffic.

Attack Chain

  1. The attacker identifies a vulnerable VMware Aria Operations instance exposed to the internet.
  2. The attacker crafts a malicious HTTP POST request targeting the /saas./resttosaasservlet endpoint.
  3. The crafted request exploits CVE-2023-20887, bypassing authentication and authorization controls.
  4. The vulnerability allows the attacker to inject arbitrary code into the server-side application.
  5. The injected code executes with the privileges of the vulnerable application, typically SYSTEM or root.
  6. The attacker establishes a reverse shell connection to an external attacker-controlled server.
  7. The attacker leverages the reverse shell for post-exploitation activities, such as credential harvesting and lateral movement.
  8. The ultimate objective is to exfiltrate sensitive data or deploy ransomware across the network.

Impact

Successful exploitation of CVE-2023-20887 allows unauthenticated attackers to execute arbitrary code on affected VMware Aria Operations systems. This can lead to a complete compromise of the affected system, including data theft, denial of service, and the potential to use the compromised system as a pivot point for further attacks within the network. Public reports indicate widespread scanning activity targeting this vulnerability.

Recommendation

  • Deploy the Sigma rule VMware Aria Operations Exploit Attempt - HTTP POST to detect malicious HTTP POST requests to the vulnerable endpoint, focusing on web server logs (category: webserver, product: linux).
  • Inspect web server logs for HTTP POST requests to /saas./resttosaasservlet with a 200 status code, as this is an indicator of potential successful exploitation.
  • Apply the latest patches for VMware Aria Operations to remediate CVE-2023-20887 as referenced in the provided links.
  • Monitor network traffic for outbound connections originating from VMware Aria Operations servers, particularly connections to unusual or suspicious destinations.
  • Implement network segmentation to limit the impact of a successful compromise, preventing lateral movement to other critical systems.

Detection coverage 2

VMware Aria Operations Exploit Attempt - HTTP POST

critical

Detects HTTP POST requests to the /saas./resttosaasservlet endpoint, indicative of CVE-2023-20887 exploitation attempts.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

VMware Aria Operations Exploit Attempt - Abnormal User Agent

high

Detects potential exploitation attempts against VMware Aria Operations by monitoring for unusual User-Agent strings.

sigma tactics: initial_access techniques: T1190 sources: webserver, linux

Detection queries are available on the platform. Get full rules →