May Vuln of the Month: CVE-2022-22954

May 11, 2022
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

May’s Vuln of the Month is a remote code execution (RCE) vulnerability in VMware’s identity management service, now called VMware Workspace ONE. This serious vulnerability is actively being exploited by state actors and warrants the immediate attention of security professionals. 

Our research shows that CVE-2022-22954 meets many of the criteria we look for in a vulnerability that could be exploited, including: 

  • Access complexity: Low 
  • Potential attack surface: Broad 
  • Exploitable remotely: Yes 
  • Authentication/privilege requirements: None 
  • Potential impact on availability: Complete 
  • Exploit code published: Yes 
  • Active exploits observed: Yes

The Kenna Risk Score for CVE-2022-22954 is 93, which means this vulnerability represents a higher risk than 99% of all the vulns we’ve scored. We’re alone in recognizing its seriousness: This vuln’s CVSS 3.x score is “Critical” 9.8 and its CVSS 2.0 score is a “High” 10.0.  

Why CVE-2022-22954 matters 

CVE-2022-22954 is a server-side template injection flaw that could leave an organization running VMware Workspace ONE vulnerable to remote execution of malicious commands on the hosting server, including using corporate servers and resources to mine cryptocurrency. VMware issued a patch to close the vuln on April 6, and on April 11, proof of concept code appeared. Two days later, evidence emerged that exploits of CVE-2022-22954 were underway. The fact it is being actively exploited by sophisticated state actors makes this vulnerability a particularly risky one. 

Attackers are known to target VMWare products in wide-ranging attacks, so Cisco Talos recommends patching as soon as possible. Cisco Talos Incident Response found that last quarter, attackers often targeted VMware Horizon servers to gain an initial foothold into targeted networks. Additionally, the SVR Group — a suspected Russian state-sponsored actor — targeted another VMware Workspace ONE vulnerability, CVE-2020-4006, according to an April 2021 advisory from the U.S. National Security Agency. 

Cisco Talos continues to develop detection for this vulnerability. Users can continue to check for the latest rule updates that will contain future rules to protect against the exploitation of CVE-2022-22954. 

Bottom line 

CVE-2022-22954 is a high-risk vulnerability in VMware Workspace ONE that should be patched ASAP. Attacks can be remotely executed with little trouble and no special privileges, and a successful exploit can wield significant damage, up to and including complete threats to system and service availability. And since exploits have already been observed, they are likely to continue.  

Mitigation status 

On April 6, VMware patched the vulnerability as described in this guide to fixed versions of affected VMware software. Workarounds are also described. 

Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to vulnerability intelligence powered by machine learning.  

Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.