CVE-2023-20867

Vulnerability updated 4 months ago (2024-05-04T20:42:32.777Z)

Download STIX

Preview STIX

CVE-2023-20867 is a critical vulnerability in VMware Tools, first revealed by Mandiant researchers in June 2023. This flaw in software design or implementation was exploited by the threat group UNC3886, allowing it to gain privileged access to Windows, Linux, and PhotonOS guest virtual machines without authentication from a compromised ESXi host. The exploitation of this zero-day vulnerability enabled the execution of arbitrary commands and the transfer of files to and from guest VMs, posing significant security threats. The vulnerability was actively exploited by Chinese cyberespionage actors for data theft purposes, leading VMware to issue a patch in June 2023. Alongside CVE-2023-20867, an authentication bypass flaw in VMware Tools was also added to the catalog after being exploited as a zero-day by the same actor. The successful exploitation of these vulnerabilities allowed the attacker to execute commands inside guest virtual machines from a compromised host, further escalating the severity of the incident. In response to these events, VMware alerted customers to the actively abused critical flaw in the Aria Operations for Networks analytics tool, while also addressing the vulnerability in its ESXi product. The company's swift action mitigated the immediate risks posed by CVE-2023-20867, but the incident underscores the ongoing challenges of securing complex virtual environments against sophisticated threat actors.

Description last updated: 2024-05-04T16:36:08.068Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vmware

Mandiant

Vulnerability

Esxi

Vcenter

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Unc3886	Unspecified	2	UNC3886 is a threat actor, believed to be linked to China, that has been active in cyberespionage activities. The group has been exploiting a zero-day vulnerability in VMware's vCenter Server, identified as CVE-2023-34048, since at least late 2021. This advanced persistent threat (APT) group's actio

Source Document References

Information about the CVE-2023-20867 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	8 months ago	CISA adds VMware vCenter Server bug to its Known Exploited Vulnerabilities catalog
BankInfoSecurity	3 months ago	Chinese Hackers Used Open-Source Rootkits for Espionage
DARKReading	8 months ago	Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years
CERT-EU	8 months ago	Chinese Hackers Silently Weaponized VMware Zero-Day Flaw for 2 Years
Securityaffairs	8 months ago	China-linked APT UNC3886 exploits VMware zero-day since 2021
CERT-EU	8 months ago	Chinese hackers exploit VMware bug as zero-day for two years
CERT-EU	9 months ago	VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks
CERT-EU	a year ago	Fedora 38: open-vm-tools 2023-df375d0634 \| LinuxSecurity.com
CERT-EU	a year ago	Fedora 39: open-vm-tools 2023-20b6ac4b6c \| LinuxSecurity.com
CERT-EU	a year ago	Debian update for open-vm-tools
CERT-EU	a year ago	SUSE update for open-vm-tools
CERT-EU	a year ago	Heimdal®’s Semiannual Rundown of the Most Exploited Vulnerabilities of 2023
CERT-EU	a year ago	SUSE update for open-vm-tools
CERT-EU	a year ago	Ubuntu update for open-vm-tools
CERT-EU	a year ago	Multiple vulnerabilities in Oracle Linux
CERT-EU	a year ago	Red Hat Enterprise Linux 8.6 Extended Update Support update for open-vm-tools
CERT-EU	a year ago	Une faille critique dans VMware Aria Operations for Networks, massivement exploitée - Le Monde Informatique
CERT-EU	a year ago	Bulletin d’actualité CERTFR-2023-ACT-028 – CERT-FR
CERT-EU	a year ago	【資安日報】6月27日，駭客散布植入木馬程式的瑪利歐電玩安裝軟體，目的將玩家電腦高性能的CPU與GPU運算資源用於挖礦
Flashpoint	a year ago	Tracking Patch Tuesday Vulnerabilities