The Cybersecurity and Infrastructure Security Agency (CISA) has taken decisive action by adding multiple actively exploited security vulnerabilities affecting the XWiki Platform, Broadcom’s VMware Aria Operations, and VMware Tools to its Known Exploited Vulnerabilities (KEV) catalog. This move indicates that these flaws are currently being leveraged by threat actors in the wild and require immediate attention from security teams across affected organizations.
Exploited Flaws Draw Attention With Real-World Impact
CISA’s inclusion of these vulnerabilities in the KEV catalog enforces a binding operational directive (BOD 22-01) that obligates U.S. federal civilian agencies to remediate the listed vulnerabilities within specified timeframes. Private sector and critical infrastructure entities are strongly encouraged to do the same.
Flaw in XWiki Platform Enables Remote Code Execution
The first vulnerability added to the KEV catalog, tracked as CVE-2023-35150 , affects versions of the XWiki Platform , an open-source enterprise-level wiki system used for collaboration and content management. The flaw lies within the way the platform handles template rendering with insufficient input validation. When exploited, it allows remote code execution (RCE) without authentication.
Specifically, CVE-2023-35150 is caused by improper sanitization in certain “include macros,” which permits attackers to inject malicious code into web templates. Because templates are often invoked with elevated privileges or are reused across pages and users, exploitation can lead to widespread compromise within a system. The National Institute of Standards and Technology (NIST) assigned the vulnerability a critical CVSS score of 9.8.
Broadcom VMware Aria Operations Hit by Deserialization Vulnerability
The second vulnerability, CVE-2023-34051 , impacts VMware Aria Operations for Logs (formerly vRealize Log Insight) , a log management tool used in VMware environments. It is classified as an unauthenticated deserialization flaw , which may allow attackers to execute arbitrary code on affected systems by sending specially crafted requests.
Attackers exploiting this flaw don’t need credentials, making it significantly easier to target publicly exposed or poorly segmented infrastructure. VMware assigned it a severity rating of 9.8 out of 10. The vulnerability has reportedly been actively exploited to gain access to environments running vulnerable installations, often as a foothold for broader lateral movement activities.
VMware Tools Bug Could Elevate Local Privileges
CISA’s catalog update also includes CVE-2023-20867 , a vulnerability in VMware Tools , specifically the VMware Tools Service running in guest machines. Unlike the other two flaws, this is a local privilege escalation vulnerability. It allows users with existing access to a Linux guest system running VMware Tools to execute code with root-level permissions.
Despite its lower required access level compared to the remote code execution bugs, CVE-2023-20867 poses a significant threat in post-compromise operations, especially in virtualized environments that host sensitive workloads or are part of hybrid cloud deployments.
Mandatory Patch Compliance Deadlines for Federal Agencies
CISA has mandated that federal civilian agencies remediate all three vulnerabilities by May 29, 2024 . This requirement underscores the urgency of the flaws and the likelihood that threat actors are targeting them in real-world environments.
The KEV catalog serves as a vital resource within the U.S. government’s broader vulnerability management framework, helping prioritize the patching of vulnerabilities that are demonstrably being used in attacks, as opposed to those that are merely theoretical.
Federal agencies must leverage the catalog to:
- Prioritize remediation of known exploited vulnerabilities
- Perform environment-wide audits for affected software
- Apply manufacturer patches or mitigations before the compliance deadline
Broader Implications for Enterprises and Security Teams
While the directive primarily applies to federal systems, enterprise defenders and critical infrastructure operators should closely monitor CISA KEV updates. Threat actors often reuse known tactics and exploit widely used tools across both government and private sector networks.
Key Mitigation Steps for Affected Users Include:
- Apply patches provided by XWiki and VMware without delay
- Locate and isolate vulnerable systems using vulnerability scanning platforms
- Monitor logs for indicators of compromise (IoCs) related to CVE-2023-35150, CVE-2023-34051, and CVE-2023-20867
- Validate system integrity post-patching to detect any lingering attacker artifacts
Neglecting these critical flaws could expose enterprises to ransomware payloads, data exfiltration, or lateral movement across hybrid cloud environments.
Patch Now to Avoid Exploitation
CISA’s proactive addition of the XWiki and VMware vulnerabilities to the KEV catalog highlights the real-world threat these flaws pose. Security leaders must act swiftly by patching systems, auditing their environments, and anticipating attacker behaviors. With the increasing pace of vulnerability exploitation amid rapidly evolving digital landscapes, the time between discovery and active use by adversaries continues to shrink—raising the stakes for defenders across all sectors.
