Security News > 2022 > August > VMware urges admins to patch critical auth bypass bug immediately
VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges.
"This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA," VMware warned.
VMware provides patch download links and detailed installation instructions on its knowledgebase website.
VMware doesn't recommend using this workaround and says the only way to address the CVE-2022-31656 auth bypass flaw fully is to patch the vulnerable products.
"While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this type of issue."
In May, VMware patched an almost identical critical vulnerability, another authentication bypass bug found by Bruno López of Innotec Security in Workspace ONE Access, VMware Identity Manager, and vRealize Automation.
News URL
Related news
- Juniper patches critical auth bypass in Session Smart routers (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical flaw in Next.js lets hackers bypass authorization (source)
- Broadcom warns of authentication bypass in VMware Windows Tools (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-08-05 | CVE-2022-31656 | Unspecified vulnerability in VMWare products VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. | 9.8 |