Security News > 2022 > April > Attackers are exploiting VMware RCE to deliver malware (CVE-2022-22954)
Cyber crooks have begun exploiting CVE-2022-22954, a RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to deliver cryptominers onto vulnerable systems.
CVE-2022-22954 is, in effect, a server-side template injection vulnerability that can be triggered by a malicious actor with network access to achieve remote code execution.
It was reported to VMware privately and a fix and a workaround for it was released on April 6, along with fixes for seven other flaws in various VMware solutions.
CVE-2022-22954 is the most critical of the bunch, and VMware urged administrators to patch or mitigate it immediately, as "The ramifications of this vulnerability are serious."
The warning was echoed earlier this week by NHS Digital, which noted that vulnerabilities in VMware products have been commonly targeted by ATP groups in the past.
"Multiple proof of concept codes to exploit CVE-2022-22954 are now being publicly circulated and could be used to replicate the attack against an affected system," the organization noted.
News URL
https://www.helpnetsecurity.com/2022/04/14/cve-2022-22954/
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-04-11 | CVE-2022-22954 | Code Injection vulnerability in VMWare products VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. | 9.8 |