The vulnerability is known to be exploited by the UNC3886 APT actor.
Vulnerability details
Advisory: SB2023061339 - Authentication bypass in VMware Tools
Vulnerable component: VMware Tools
CVE-ID: CVE-2023-20867
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-287 - Improper Authentication
Description:
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in the vgauth module. An attacker who compromised the ESXi host can bypass authentication process and execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
Note, the vulnerability is being actively exploited in the wild by the UNC3886 APT actor.
External links:
https://www.vmware.com/security/advisories/VMSA-2023-0013.html
https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass