CVE-2023-34063 (CVSS 9.9): A Critical Flaw in VMware Aria Automation

VMware Aria Automation, formerly known as vRealize Automation, serves as a linchpin for orchestrating and automating complex infrastructures. This powerful cloud management platform (CMP) streamlines the deployment of applications and resources across diverse environments, offering a blend of convenience and control. However, the recent discovery of CVE-2023-34063, a critical vulnerability with a CVSS score of 9.9, allows attackers to gain remote execution.

CVE-2023-34063 is described as a missing access control vulnerability within Aria Automation. This vulnerability opens the door for an authenticated malicious actor to gain unauthorized access to remote organizations and their workflows. The implications of such exploitation are profound, as it could lead to the compromise of sensitive data and disruption of critical operations.


“An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows,” VMware wrote.

The complete list of VMware products impacted by this vulnerability includes:

  • VMware Aria Automation (formerly vRealize Automation) versions 8.14.x, 8.13.x, 8.12.x, and 8.11.x
  • VMware Cloud Foundation (Aria Automation) versions 5.x, and 4.x

Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) Scientific Computing Platforms team has been credited for reporting this flaw.

VMware has confirmed that, as of now, there is no evidence to suggest that CVE-2023-34063 has been exploited in attacks. This revelation provides a crucial window for users to fortify their defenses against potential exploits.

In response to this discovery, VMware has not just acknowledged the vulnerability but also provided patch download links. Patch download links and detailed installation instructions are readily available on VMware’s knowledgebase website. These resources are vital for administrators and IT professionals to patch their systems and safeguard against the unauthorized incursions that this vulnerability could permit.