CVE-2022-22954:
A remote code execution vulnerability (CVE-2022-22954) in VMware Workspace ONE Access and Identity Manager allows an attacker with network access to trigger server-side template injection, potentially leading to full remote control of the affected system. The vulnerability affects Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 and Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 11, 2022
- CISA KEV Date:Apr 14, 2022
- Industries Affected:20
3 DaysThreat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A remote code execution vulnerability (CVE-2022-22954) in VMware Workspace ONE Access and Identity Manager allows an attacker with network access to trigger server-side template injection, potentially leading to full remote control of the affected system. The vulnerability affects Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 and Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3.
Overview
This CVE describes a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager arising from server-side template injection. A malicious actor with network access can trigger the SSTI to run arbitrary commands on the server, potentially gaining full control over the affected appliance and its data. The flaw affects several released versions, underscoring the importance of applying the available fix from VMware to mitigate the risk.
Remediation
- Apply the VMware advisory fix: upgrade to the patched release or the minimum fixed version specified by VMware for CVE-2022-22954 (per VMSA-2022-0011) for both Workspace ONE Access and Identity Manager.
- If upgrade is not immediately possible, apply compensating controls: restrict network exposure to management interfaces, and place the services behind a hardened gateway or WAF that blocks suspicious inputs.
- Verify and harden input handling and template rendering paths where possible; ensure access is restricted and robust authentication is in place.
- After patching, conduct a verification pass to ensure the service operates correctly and monitor for signs of exploitation (unusual activity, unexpected commands, orCredential changes).
- Rotate credentials and review access controls for admin and service accounts as a precautionary measure following remediation.
References
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:*No Data*
- CISA KEV Date:Apr 14, 2022
- Days Early:3 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
