CVE-2023-20887

CRITICAL KEV NUCLEI

VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE

Title source: metasploit

Exploitation Summary

CVE-2023-20887 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 22, 2023. EIP tracks 4 public exploits from researchers including sinsinology, Malwareman007, miko550, including a Metasploit module exploits/linux/http/vmware_vrni_rce_cve_2023_20887. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2023-20887, a pre-authenticated remote code execution vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). The exploit leverages command injection via the Apache Thrift RPC interface to achieve root-level command execution.

Description

Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.

Exploits (4)

nomisec WORKING POC 232 stars

by sinsinology · remote

https://github.com/sinsinology/CVE-2023-20887

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2023-20887, a pre-authenticated remote code execution vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). The exploit leverages command injection via the Apache Thrift RPC interface to achieve root-level command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VMWare Aria Operations for Networks (vRealize Network Insight) 6.x

No auth needed

Prerequisites: Network access to the target system · Apache Thrift RPC interface exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by Malwareman007 · remote

https://github.com/Malwareman007/CVE-2023-20887

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-20887, a pre-authenticated RCE vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). The exploit leverages command injection via the Apache Thrift RPC interface to achieve remote code execution as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VMWare Aria Operations for Networks (vRealize Network Insight) 6.x

No auth needed

Prerequisites: Network access to the target · Target running vulnerable VMWare Aria Operations for Networks version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by miko550 · remote

https://github.com/miko550/CVE-2023-20887

View Code ZIP pw:eip

This exploit targets CVE-2023-20887, a pre-authenticated RCE vulnerability in VMWare vRealize Network Insight. It sends a crafted Thrift payload to trigger command injection, resulting in a reverse shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VMWare vRealize Network Insight

No auth needed

Prerequisites: Network access to the target · Listener setup for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Sina Kheirkhah, Anonymous with Trend Micro Zero Day Initiative, h00die · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_vrni_rce_cve_2023_20887.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-20887, a pre-authenticated RCE vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight) via Apache Thrift RPC interface command injection. It bypasses a reverse proxy to execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMWare Aria Operations for Networks (vRealize Network Insight) 6.2 to 6.10

No auth needed

Prerequisites: Network access to the target's Apache Thrift RPC interface (typically port 443)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VMware VRealize Network Insight - Remote Code Execution

CRITICALVERIFIEDby sinsinology

Shodan:

title:"VMware vRealize Network Insight" || http.title:"vmware vrealize network insight" || http.title:"vmware aria operations"

FOFA: title="VMware vRealize Network Insight" || title="vmware aria operations" || title="vmware vrealize network insight"

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/173761/VMWare-Aria-Operations-For-Networks-Remote-Command-Execution.html

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2023-0012.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20887

Scores

CVSS v3 9.8

EPSS 0.9426

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2023-06-22

VulnCheck KEV 2023-06-20

InTheWild.io 2023-06-20

ENISA EUVD EUVD-2023-25058

CWE

CWE-77

Status published

Products (1)

vmware/aria_operations_for_networks 6.2.0 - 6.10.0

Published Jun 07, 2023

KEV Added Jun 22, 2023

Tracked Since Feb 18, 2026