CVE-2023-20867

CVE-2023-20867 is a critical vulnerability in VMware Tools, first revealed by Mandiant researchers in June 2023. This flaw in software design or implementation was exploited by the threat group UNC3886, allowing it to gain privileged access to Windows, Linux, and PhotonOS guest virtual machines without authentication from a compromised ESXi host. The exploitation of this zero-day vulnerability enabled the execution of arbitrary commands and the transfer of files to and from guest VMs, posing significant security threats. The vulnerability was actively exploited by Chinese cyberespionage actors for data theft purposes, leading VMware to issue a patch in June 2023. Alongside CVE-2023-20867, an authentication bypass flaw in VMware Tools was also added to the catalog after being exploited as a zero-day by the same actor. The successful exploitation of these vulnerabilities allowed the attacker to execute commands inside guest virtual machines from a compromised host, further escalating the severity of the incident. In response to these events, VMware alerted customers to the actively abused critical flaw in the Aria Operations for Networks analytics tool, while also addressing the vulnerability in its ESXi product. The company's swift action mitigated the immediate risks posed by CVE-2023-20867, but the incident underscores the ongoing challenges of securing complex virtual environments against sophisticated threat actors.