CVE-2023-20854 – CVE-2023-20854 is an arbitrary file deletion vu... (How to Fix)

Q: What is the severity of CVE-2023-20854?

CVE-2023-20854 has a CVSS score of 8.4 (HIGH). CVE-2023-20854 is an arbitrary file deletion vulnerability in VMware Workstation that allows local authenticated users to delete any files on the system where Workstation is installed. This affects users running vulnerable versions of VMware Workstation on their local machines.

📋 TL;DR

CVE-2023-20854 is an arbitrary file deletion vulnerability in VMware Workstation that allows local authenticated users to delete any files on the system where Workstation is installed. This affects users running vulnerable versions of VMware Workstation on their local machines.

💻 Affected Systems

Products:

VMware Workstation

Versions: Workstation 17.x prior to 17.0.2

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user privileges on the host system where VMware Workstation is installed.

📦 What is this software?

Workstation by Vmware

View all CVEs affecting Workstation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to OS corruption, data loss, or denial of service.

🟠

Likely Case

Targeted deletion of user files, configuration files, or application data causing data loss and service disruption.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, with potential for detection before significant damage.

🌐 Internet-Facing: LOW - Requires local user access, not directly exploitable over network.

🏢 Internal Only: HIGH - Any local user with VMware Workstation access can potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but no special privileges beyond what normal users have.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: VMware Workstation 17.0.2

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2023-0003.html

Restart Required: Yes

Instructions:

1. Download VMware Workstation 17.0.2 from VMware website. 2. Run the installer. 3. Follow installation prompts. 4. Restart system when prompted.

🔧 Temporary Workarounds

Restrict local user access

all

Limit which users have access to systems running VMware Workstation

Implement file integrity monitoring

all

Monitor for unauthorized file deletions using tools like Tripwire or Windows File Integrity Monitoring

🧯 If You Can't Patch

Implement strict access controls to limit who can use VMware Workstation
Deploy file integrity monitoring to detect unauthorized file deletions

🔍 How to Verify

Check if Vulnerable:

Check VMware Workstation version via Help > About in the application or check installed version in Programs and Features (Windows) or package manager (Linux).

Check Version:

On Windows: wmic product where name='VMware Workstation' get version. On Linux: vmware --version

Verify Fix Applied:

Verify version is 17.0.2 or later in Help > About or system information.

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in system logs
VMware Workstation error logs showing abnormal file operations

Network Indicators:

No network indicators - local exploit only

SIEM Query:

EventID=4663 (File deletion) AND ProcessName contains 'vmware' AND User NOT IN (authorized_users_list)

📊 Metadata

CVE ID: CVE-2023-20854

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-269

Published: February 3, 2023

Last Updated: March 26, 2025

🔗 References

https://www.vmware.com/security/advisories/VMSA-2023-0003.html Patch,Release Notes,Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2023-0003.html Patch,Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20854, you might also want to check these: