May Vuln of the Month: CVE-2022-22954
Share with Your Network
May’s Vuln of the Month is a remote code execution (RCE) vulnerability in VMware’s identity management service, now called VMware Workspace ONE. This serious vulnerability is actively being exploited by state actors and warrants the immediate attention of security professionals.
Our research shows that CVE-2022-22954 meets many of the criteria we look for in a vulnerability that could be exploited, including:
- Access complexity: Low
- Potential attack surface: Broad
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Complete
- Exploit code published: Yes
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2022-22954 is 93, which means this vulnerability represents a higher risk than 99% of all the vulns we’ve scored. We’re alone in recognizing its seriousness: This vuln’s CVSS 3.x score is “Critical” 9.8 and its CVSS 2.0 score is a “High” 10.0.
Why CVE-2022-22954 matters
CVE-2022-22954 is a server-side template injection flaw that could leave an organization running VMware Workspace ONE vulnerable to remote execution of malicious commands on the hosting server, including using corporate servers and resources to mine cryptocurrency. VMware issued a patch to close the vuln on April 6, and on April 11, proof of concept code appeared. Two days later, evidence emerged that exploits of CVE-2022-22954 were underway. The fact it is being actively exploited by sophisticated state actors makes this vulnerability a particularly risky one.
Attackers are known to target VMWare products in wide-ranging attacks, so Cisco Talos recommends patching as soon as possible. Cisco Talos Incident Response found that last quarter, attackers often targeted VMware Horizon servers to gain an initial foothold into targeted networks. Additionally, the SVR Group — a suspected Russian state-sponsored actor — targeted another VMware Workspace ONE vulnerability, CVE-2020-4006, according to an April 2021 advisory from the U.S. National Security Agency.
Cisco Talos continues to develop detection for this vulnerability. Users can continue to check Snort.org for the latest rule updates that will contain future rules to protect against the exploitation of CVE-2022-22954.
Bottom line
CVE-2022-22954 is a high-risk vulnerability in VMware Workspace ONE that should be patched ASAP. Attacks can be remotely executed with little trouble and no special privileges, and a successful exploit can wield significant damage, up to and including complete threats to system and service availability. And since exploits have already been observed, they are likely to continue.
Mitigation status
On April 6, VMware patched the vulnerability as described in this guide to fixed versions of affected VMware software. Workarounds are also described.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to vulnerability intelligence powered by machine learning.
