Malicious actors have been exploiting and are currently exploiting VMware vulnerabilities that can lead to full control of a system.
An attacker could use these vulnerabilities either separately or in tandem with one another to take control of an affected system.
The platforms known to be affected are as follows:
- VMware Workspace ONE Access,
- VMware Identity Manager (vIDM),
- VMware vRealize Automation (vRA),
- VMware Cloud Foundation, and
- vRealize Suite Lifecycle Manager.
If you or your business is using VMware products, OCSIA recommends prompt attention is given to applying the latest updates to protect you and your business.
Expected exploitations are of CVE-2022-22972 and CVE-2022-2297 with recent known exploitations having been discovered relating to CVE-2022-22954 and CVE-2022-22960.
CVE-2022-22972 relates to authentication bypass and could allow an attacker with network access to the UI to gain administrative access without the need to authenticate. The important vulnerability known as CVE-2022-22973 concerns a local privilege escalation that could allow a local attacker to escalate privileges to root.
Inherent vulnerabilities can also allow malicious actors to employ server-side template injection that may result remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).
APT (Advanced Persistent Threat) groups began exploiting these last two vulnerabilities with two days of their existence having been made public.
- Vulnerable VMware products should be updated to the latest version; there are patches available that remediate these vulnerabilities. Alternatively, remove these versions from your or your organisation’s networks.
Further information and guidance can be found on the VMware website:
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.