External risk intelligence

VMware Identity Manager and Workspace ONE Access Vulnerability

CVE advisoryKnown Exploit

CVE-2022-22954

VMware Workspace ONE Access and Identity Manager are affected by a remote code execution vulnerability due to server-side template injection. This allows unauthorized network access to execute code on systems, leading to potential data compromise and system control.

5Halo Surface Signal

Code Injection

Vmware Identity Manager

3.3.33.3.43.3.53.3.67.620.10.0.020.10.0.121.08.0.021.08.0.14.0 to 4.3.18.0 to 8.2

External exposure likelihood

Halo Surface Signal score for CVE-2022-22954

This vulnerability affects VMware Workspace ONE Access and Identity Manager, which are identity and access management portals designed to be deployed as public-facing gateways to facilitate remote and external authentication services.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

VMware Workspace ONE Access and Identity Manager are affected by a vulnerability that allows for remote code execution. This flaw stems from a server-side template injection weakness within these products. A malicious actor with network access could exploit this to execute arbitrary code on the affected systems. The potential impact includes unauthorized access and control over critical systems.

  • Vulnerable VMware products
  • Server-side template injection flaw
  • Remote code execution possible

Attack Path

How an attacker could exploit the issue

A server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager allows attackers to execute arbitrary code remotely. This exploit requires network access to an affected system, where an attacker can craft a malicious request to trigger the injection. Successful exploitation can lead to the execution of commands on the server, potentially granting the attacker control over the system and access to sensitive data.

  • Exposure via network access.
  • Attacker triggers template injection.
  • Results in remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A critical server-side template injection vulnerability exists in VMware Workspace ONE Access and Identity Manager. This flaw allows a malicious actor with network access to execute arbitrary code on affected systems, potentially leading to a complete compromise. The vulnerability carries a high base score, indicating significant potential for damage.

  • Attackers with low skill may exploit.
  • No specific access needed for exploitation.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in VMware Workspace ONE Access and Identity Manager allows a malicious actor to execute remote code. The attack leverages a server-side template injection weakness. Organizations should act to identify and mitigate risks associated with this vulnerability to protect systems and data.

  • Find affected assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What are VMware Workspace ONE Access and Identity Manager?

VMware Workspace ONE Access and Identity Manager are identity and access management solutions designed to provide secure, single sign-on access to applications. They often serve as a gateway for external authentication.

What is the nature of CVE-2022-22954?

CVE-2022-22954 is a critical server-side template injection vulnerability. This weakness enables attackers to inject and execute malicious code on the server, potentially leading to remote code execution.

How can CVE-2022-22954 be exploited?

Exploitation of CVE-2022-22954 requires network access to an affected system. An attacker can trigger the server-side template injection through a crafted request, leading to the execution of arbitrary commands on the server.

How significant is CVE-2022-22954 for organizations?

This vulnerability presents a very likely threat due to its critical nature. Affecting identity and access management portals used for remote access, successful exploitation could grant attackers control over systems and sensitive data, posing a high business risk.

What steps should be taken to address CVE-2022-22954?

Organizations should identify affected assets, reduce exposure by isolating risks, and apply vendor-provided fixes. Verification and continuous monitoring are crucial post-remediation to ensure systems and data are protected.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified