"Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs"

A Chinese cyber espionage group that researchers previously spotted targeting VMware ESXi hosts has been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest Virtual Machines (VMs). Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been monitoring for some time. They disclosed the vulnerability to VMware, which then issued a patch to address it. VMware Tools, a collection of services and modules for improved administration of guest operating systems, contains the zero-day vulnerability, tracked as CVE-2023-208670. The vulnerability enables attackers to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest VMs without the need for guest credentials and without the activity being logged by default. VMware rated the vulnerability as having a medium severity because an attacker must already have root access to an ESXi host in order to exploit it. This article continues to discuss UNC3886 and the threat actor's exploitation of a zero-day vulnerability in VMware Tools. 

Dark Reading reports "Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs"