--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in VMware Aria Operations for Networks' version: '1.0' number: '2023-036' original_date: 'June 7, 2023' date: 'June 8, 2023' --- _History:_ * _08/06/2023 --- v1.0 -- Initial publication_ # Summary On June 7, 2023, VMware issued multiple security patches to address critical vulnerabilities in VMware Aria Operations for Networks, formerly known as vRealize Network Insight. The vulnerabilities allow attackers to gain remote execution or access sensitive information [1]. CERT-EU recommends upgrading as soon as possible. # Technical Details - **CVE-2023-20887** This critical severity vulnerability, with a CVSS score of 9.8 out of 10, allows an unauthenticated attacker to perform a command injection attack resulting in remote code execution. - **CVE-2023-20888** This vulnerability, with a CVSS score of 9.1 out of 10, allows an authenticated attacker with a valid `member` role to perform a deserialisation attack resulting in remote code execution. - **CVE-2023-20889** This vulnerability, with a CVSS score of 8.8 out of 10, allows unauthenticated attacker to perform a command injection attack resulting in information disclosure. # Affected Products VMware Aria Operations Networks version 6.x are affected by these vulnerabilities. The fixed version is KB92684 [1]. # Recommendations CERT-EU highly recommends updating the affected products to the fixed version. # References [1]