When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.
The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication.
Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,” as well as CVE-2022-22973, a privilege escalation fixed with the same round of patches.
Penetration testing company Horizon3.ai on Thursday published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation.
In fact, threat intelligence company GreyNoise reported on Friday that it’s already seeing scans for vulnerable systems.
Horizon3.ai, which described CVE-2022-22972 as a “relatively simple Host header manipulation vulnerability,” said a motivated attacker would not have difficulties developing an exploit.
“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet,” the company said. “Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.”
When the vulnerability came to light, CISA issued an emergency directive instructing federal agencies to patch CVE-2022-22972 and CVE-2022-22973 by May 23, or remove affected instances from their network until a patch can be applied.
The products affected by CVE-2022-22972 and CVE-2022-22973 are also impacted by CVE-2022-22954 and CVE-2022-22960, which have been exploited in the wild — both separately and chained — by multiple threat groups since early April.
Related: VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability
Related: Critical Code Execution Flaw Haunts VMware Cloud Director
Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
