VMware low severity zero day used to hack defence and tech companies
Take action: It's worth to invest in patching low severity vulnerabilities. Because criminals invest in exploiting them by chaining them to other vulnerabilities.
Learn More
A zero-day vulnerability in VMware ESXi hypervisors allocated a CVE number CVE-2023-20867 and assigned low severity is used to actively attack servers.
According to security researches, a Chinese Advanced Persistent Threat (APT) group known as "NC3886" is actively exploiting the vulnerability to gain comprehensive lateral movement capabilities within VMware environments without leaving any trace or activity logs.
CVE-2023-20867 requires that the attacker gain initial access to a ESXi host via another exploit. But once in the VMware environment this vulnerability enables the attacker to access the guest VMs and execute commands and transfer files to and from guest VMs without the need for guest credential.
The usual vector of initial attack was through a default vCenter deployments with vulnerabilities. Once compromised, the of vCenter for managing virtualized hosts in helps the adversary to move inside the entire environment through a centralized access.
The "NC3886" group has targeted defense, technology, and telecommunications companies, utilizing various attacker scripts to obtain credentials, enumerate ESXi hosts and guest VMs, manipulate firewall rules, and steal data.
