VMware is urging customers to patch a critical vulnerability discovered by external researchers in its Aria Automation multi-cloud infrastructure automation platform.
The vulnerability, tracked as CVE-2023-34063 and assigned a CVSS score of 9.9, affects Aria Automation (formerly vRealize Automation) prior to version 8.16, as well as Cloud Foundation.
The flaw has been described as a missing access control issue that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.
VMware has released patches for each of the impacted versions and urged customers to install them as soon as possible. The company noted, however, that it’s currently not aware of in-the-wild exploitation.
“In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization. However, the appropriate security response varies depending on specific circumstances. It’s important to consult with your organization’s information security staff to decide the best course of action tailored to your organization’s needs,” VMware said in an FAQ document.
The Broadcom-owned virtualization giant has credited the Scientific Computing Platforms team at the Commonwealth Scientific and Industrial Research Organisation (CSIRO) for reporting the vulnerability.
It’s not uncommon for threat actors to exploit VMware product vulnerabilities in their attacks. The known exploited vulnerabilities catalog maintained by the US security agency CISA currently includes 21 VMware bugs, including ones affecting Aria products.
Related: Critical Authentication Bypass Flaw in VMware Cloud Director Appliance
Related: VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products
Related: VMware Patches Major Security Flaws in Network Monitoring Product
Related: Exploit Code Published for Critical-Severity VMware Security Defect