Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-22954
CVE-2022-22954:
Workspace ONE Access Connector vulnerability analysis and mitigation
Overview
CVE-2022-22954 is a critical remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager, discovered and disclosed in April 2022. The vulnerability stems from a server-side template injection flaw and has received a CVSSv3 base score of 9.8. The affected products include VMware Workspace ONE Access versions 20.10.0.0-20.10.0.1 and 21.08.0.0-21.08.0.1, as well as VMware Identity Manager (vIDM) versions 3.3.3-3.3.6 (VMware Advisory).
Technical details
The vulnerability arises from a server-side template injection flaw that allows remote code execution. An unauthenticated attacker with network access to the web interface can execute arbitrary shell commands as the VMware user. The vulnerability has been assigned the highest severity rating with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating the critical nature of the security risk (NVD).
Impact
The vulnerability allows malicious actors with network access to trigger server-side template injection that can result in remote code execution. Successful exploitation provides attackers with the ability to execute arbitrary commands on the affected systems. The vulnerability has been actively exploited in the wild to deploy various malicious payloads, including coin miners and reverse HTTPS backdoors (Rapid7).
Mitigation and workarounds
VMware has released patches to address this vulnerability and strongly recommends immediate patching without waiting for regular patch cycles. Patches are available through the VMware Knowledge Base article KB88099. For systems that cannot be immediately patched, workarounds have been documented in KB88098 (VMware Advisory).
Community reactions
The security community responded quickly to this vulnerability, with multiple security firms and researchers analyzing and reporting on exploitation attempts. Security news outlets reported widespread exploitation activities, particularly noting the deployment of coin miners and backdoors. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog, emphasizing its critical nature and requiring federal agencies to patch by May 5, 2022 (NVD).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management