CVE-2022-22954
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on VMware Workspace ONE Access and Identity Manager systems through server-side template injection. Attackers with network access can exploit this to gain full control of affected systems. Organizations running vulnerable versions of these VMware products are affected.
💻 Affected Systems
- VMware Workspace ONE Access
- VMware Identity Manager
📦 What is this software?
Vrealize Suite Lifecycle Manager by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, lateral movement within the network, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthenticated remote code execution allowing attackers to execute commands, steal credentials, and establish footholds in the network.
If Mitigated
Limited impact if systems are patched, network segmentation is in place, and proper access controls prevent exploitation attempts.
🎯 Exploit Status
Multiple public exploit scripts available. Actively exploited in the wild as confirmed by CISA.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Workspace ONE Access 21.08.0.2 or later, Identity Manager 3.3.7 or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware's website. 2. Backup your system. 3. Apply the patch following VMware's documentation. 4. Restart the service/application. 5. Verify the patch was successful.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to vulnerable systems using firewall rules
Remove from Internet
allTake vulnerable systems offline or move them behind VPN/restricted access
🧯 If You Can't Patch
- Immediately isolate affected systems from the network
- Implement strict network segmentation and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the version of VMware Workspace ONE Access or Identity Manager. If version is 21.08.0.1 or earlier for Access, or 3.3.6 or earlier for Identity Manager, the system is vulnerable.Check Version:
Check the VMware product administration interface or consult product documentation for version information.Verify Fix Applied:
Verify the version is updated to 21.08.0.2 or later for Workspace ONE Access, or 3.3.7 or later for Identity Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual template processing errors
- Suspicious HTTP requests to template endpoints
- Unexpected system command execution
Network Indicators:
- HTTP requests containing template injection payloads
- Unusual outbound connections from the VMware server
SIEM Query:
source="vmware_logs" AND ("template" OR "freemarker") AND ("error" OR "exception")🔗 References
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22954
