Security Experts:

Exploitation of VMware Vulnerability Imminent Following Release of PoC

When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.

The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication.

Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,” as well as CVE-2022-22973, a privilege escalation fixed with the same round of patches.

Penetration testing company Horizon3.ai on Thursday published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation.

In fact, threat intelligence company GreyNoise reported on Friday that it’s already seeing scans for vulnerable systems.

Horizon3.ai, which described CVE-2022-22972 as a “relatively simple Host header manipulation vulnerability,” said a motivated attacker would not have difficulties developing an exploit.

“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet,” the company said. “Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.”

When the vulnerability came to light, CISA issued an emergency directive instructing federal agencies to patch CVE-2022-22972 and CVE-2022-22973 by May 23, or remove affected instances from their network until a patch can be applied.

The products affected by CVE-2022-22972 and CVE-2022-22973 are also impacted by CVE-2022-22954 and CVE-2022-22960, which have been exploited in the wild — both separately and chained — by multiple threat groups since early April.

Related: VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability

Related: Critical Code Execution Flaw Haunts VMware Cloud Director

Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.