Security Advisory: VMware Vulnerabilities Gives System Control to Hackers

CyberHoot Vulnerability Alert Management Process Rating (VAMP): Critical/Red
May 19th, 2022: CyberHoot has learned of a number of VMware software vulnerabilities tracked as CVE-2022-22954 (Base score: 9.8/10) and CVE-2022-22960 (Base score: 7.8/10), and are actively being exploited by hackers. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities allows hackers to trigger a server-side template injection that may result in Remote Code Execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 

VMware released updates for both vulnerabilities on April 6, 2022, and, according to CISA, hackers were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively. 

VMware Vulnerabilities Technical Details

CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:

    • VMware Workspace ONE Access, versions,,,
    • vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • VMware Cloud Foundation, 4.x
    • vRealize Suite LifeCycle Manager, 8.

CVE-2022-22960 allows hackers with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:

    • VMware Workspace ONE Access, versions,,,
    • vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • vRA, version 7.6 
    • VMware Cloud Foundation, 3.x, 4.x, 
    • vRealize Suite LifeCycle Manager, 8.x

According to CISA, threat actors may chain these vulnerabilities. At one compromised organization in April 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.

What Should You Do?

Patch your VMware systems as soon as possible, or remove the affected software from your network until a patch can be applied.

To stay up to date at all times, it’s important to deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary. Most Managed Service Providers leverage one of the big three Remote Monitoring and Management (RMM) solutions (ConnectwiseDatto, and Kaseya) for patching their managed systems. These RMM solutions also provide monitoring, and remote access in addition to tested and validated patching services to their clients.

Standalone patch management solutions for companies not using the above-mentioned RMM solutions include ManageEngine and Automox.

You have a Vulnerability Alert Management Process, right?

If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.