Mandiant: New VMware ESXi zero-day used by Chinese APT

Mandiant discovered a new zero-day flaw affecting VMware hypervisor ESXi that is under active exploitation by a Chinese nation-state threat actor.

The Google Cloud-owned incident response firm said the flaw is being used by a Chinese advanced persistent threat group that Mandiant refers to as "UNC3886." VMware said in its security advisory that the flaw, tracked as CVE-2023-20867, is an authentication bypass that can be exploited when a "fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine."

Mandiant said in its research post that in order to exploit the flaw, the attacker is required to have privileged account access to the ESXi host, and the target guest machine must have software management app VMware Tools installed.

Once the actor obtains that access, CVE-2023-20867 enables an attacker to execute privileged actions on a compromised ESXi host without the need for authentication. Moreover, "no logging events are generated by default when CVE-2023-20867 is successfully exploited," Mandiant said, meaning defenders under attack could face greater challenges in the incident response process.

VMware customers can patch the flaw by updating their VMware Tools instance to version 12.2.5.

Despite the flaw's ongoing use in targeted attacks, VMware evaluated the flaw at a "low severity" CVSS v3 score of 3.9 in its advisory. A VMware spokesperson told TechTarget Editorial via an emailed statement that the vulnerability "cannot be exploited unless the attacker has already gained root access."

The full statement read as follows:

The security of our customers is a priority at VMware. Today we released a security advisory to help customers apply the software updates to address CVE-2023-20867, a vulnerability that cannot be exploited unless the attacker has already gained root access. Customers are encouraged to take a holistic security approach that includes not only software updates but also the hardening guidance available in our vSphere security blog.

Mandiant said in its post that UNC3886 is a "highly adept" Chinese cyberespionage group that "has primarily targeted defense, technology, and telecommunication organizations located in the US and APJ [Asia-Pacific] regions." The firm added that the actor has previously targeted victims via zero-day flaws in firewall and virtualization products, and that it "continues to target devices and platforms that traditionally lack EDR [endpoint detection and response] solutions and make use of zero-day exploits on those platforms."

CVE-2023-20867 bears no connection to the high-profile ESXiArgs ransomware campaign reported earlier this year, in which threat actors used flaws such as CVE-2021-21974 and CVE-2020-3992 in attacks against internet-facing servers in nations including the U.S., Canada, France and Germany.

Alex Marvi, a Mandiant consultant at Google Cloud, told TechTarget Editorial in an email that the firm has personally "observed the exploitation of this vulnerability across under a dozen organizations in the defense contractor and telecommunications industries in the APJ and U.S. regions."

Asked about how widespread he expects exploitation to become, Marvi said exploitation might be uncommon in the short term.

"Due to an attacker needing administrative access to exploit CVE-2023-20867, we anticipate that this threat will not be all too common to start," he said. "But as offensive tooling for the exploit becomes public, it can become a powerful tool for actors to deploy across normally segmented environments, bypassing normal network protections."

Alexander Culafi is a writer, journalist and podcaster based in Boston.