Security News > 2022 > November > VMware warns of three critical holes in remote-control tool
VMware has revealed a terrible trio of critical-rated flaws in Workspace ONE Assist for Windows - a product used by IT and help desk staff to remotely take over and manage employees' devices.
A miscreant able to reach a Workspace ONE Assist deployment, either over the internet or on the network, can exploit any of these three bugs to obtain administrative access without the need to authenticate.
It's all possible because Workspace ONE Assist's authentication code appears to be - let's not sugar coat this - borked.
There's more! Workspace ONE Assist is also afflicted with a 6.4-rated cross-site scripting vulnerability that - thanks to improper user input sanitization - can be exploited, with some user interaction, to inject and run malicious JavaScript code in the victim's window.
These flaws apply to versions 21.x and 22.x of Workspace ONE Assist.
In happier news for Virtzilla, the company has announced that its cloudy wares are now available through HPE's GreenLake ITaaS platform, plus - irony alert - a "More secure" version of its Anywhere Workspace hybrid work suite.
News URL
Related news
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)