Connect with us

Hi, what are you looking for?



VMware Urges Customers to Patch Critical Aria Automation Vulnerability 

Aria Automation is affected by a critical vulnerability that could be exploited to gain access to remote organizations and workflows.

VMware vulnerability

VMware is urging customers to patch a critical vulnerability discovered by external researchers in its Aria Automation multi-cloud infrastructure automation platform.

The vulnerability, tracked as CVE-2023-34063 and assigned a CVSS score of 9.9, affects Aria Automation (formerly vRealize Automation) prior to version 8.16, as well as Cloud Foundation.

The flaw has been described as a missing access control issue that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.

VMware has released patches for each of the impacted versions and urged customers to install them as soon as possible. The company noted, however, that it’s currently not aware of in-the-wild exploitation. 

“In ITIL terms, this situation qualifies as an emergency change, necessitating prompt action from your organization. However, the appropriate security response varies depending on specific circumstances. It’s important to consult with your organization’s information security staff to decide the best course of action tailored to your organization’s needs,” VMware said in an FAQ document.

The Broadcom-owned virtualization giant has credited the Scientific Computing Platforms team at the Commonwealth Scientific and Industrial Research Organisation (CSIRO) for reporting the vulnerability. 

It’s not uncommon for threat actors to exploit VMware product vulnerabilities in their attacks. The known exploited vulnerabilities catalog maintained by the US security agency CISA currently includes 21 VMware bugs, including ones affecting Aria products. 

Related: Critical Authentication Bypass Flaw in VMware Cloud Director Appliance

Advertisement. Scroll to continue reading.

Related: VMware vCenter Flaw So Critical, Patches Released for End-of-Life Products

Related: VMware Patches Major Security Flaws in Network Monitoring Product

Related: Exploit Code Published for Critical-Severity VMware Security Defect

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.