VMware ESXi Compromise Threatens Guest VM Security
Key Information
- Vendor
- VMware
- Status
- VMware Tools
- Vendor
- CVE Published:
- 13 June 2023
Badges
Summary
The VMware ESXi vulnerability CVE-2023-20867 is being actively exploited by a Chinese cyberespionage group known as UNC3886. The vulnerability allows the attacker to execute commands and transfer files to and from guest virtual machines from a compromised ESXi host without the need for guest credentials. This exploitation threatens the confidentiality and integrity of the guest VMs. The group is also deploying custom backdoors on compromised targets. The vendor, VMware, has patched the vulnerability; however, this case highlights the importance of timely patching and security vigilance in protecting against advanced cyber threats.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-20867 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply updates per vendor instructions.
Affected Version(s)
VMware Tools >= 12.2.5
News Articles
Chinese attackers exploiting unpatched VMware ESXi instances
Security researchers from Mandiant have identified a Chinese APT group exploiting a VMware ESXi zero-day vulnerability as part of a campaign tracked since September...
3 months ago
Cyberespionage Group Targets New VMware Zero Day
A Chinese cyberespionage group known as UNC3886 has been exploiting a new zero day (CVE-2023-20867) in VMware Tools.
9 months ago
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years
Even the most careful VMware customers may need to go back and double check that they weren't compromised by a zero-day exploit for CVE-2023-34048.
9 months ago
CVSS V3.1
Timeline
Vulnerability started trending.
- 👾
Exploit exists.
First article discovered by TechTarget
Vulnerability published.
Vulnerability Reserved.