VMware updated a security advisory published two weeks ago to warn customers that a now-patched critical vulnerability allowing remote code execution is being actively exploited in attacks.
"VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company
said today.
This notice follows multiple warnings from cybersecurity firm GreyNoise, the first
issued one week after VMware
patched the security flaw on June 15 and just two days after security researcher Sina Kheirkhah
shared technical details and proof-of-concept exploit code.
"We have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands," GreyNoise research analyst Jacob Fisher
said.
GreyNoise CEO Andrew Morris also
alerted VMware admins of this ongoing malicious activity earlier today, which likely prompted VMware to update its advisory.
GreyNoise now provides a
dedicated tag to help keep track of IP addresses observed while attempting to exploit CVE-2023-20887.
