Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Exploitation of VMware Vulnerability Imminent Following Release of PoC

When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.

When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.

The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication.

Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,” as well as CVE-2022-22973, a privilege escalation fixed with the same round of patches.

Penetration testing company Horizon3.ai on Thursday published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation.

In fact, threat intelligence company GreyNoise reported on Friday that it’s already seeing scans for vulnerable systems.

Horizon3.ai, which described CVE-2022-22972 as a “relatively simple Host header manipulation vulnerability,” said a motivated attacker would not have difficulties developing an exploit.

“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet,” the company said. “Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.”

When the vulnerability came to light, CISA issued an emergency directive instructing federal agencies to patch CVE-2022-22972 and CVE-2022-22973 by May 23, or remove affected instances from their network until a patch can be applied.

Advertisement. Scroll to continue reading.

The products affected by CVE-2022-22972 and CVE-2022-22973 are also impacted by CVE-2022-22954 and CVE-2022-22960, which have been exploited in the wild — both separately and chained — by multiple threat groups since early April.

Related: VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability

Related: Critical Code Execution Flaw Haunts VMware Cloud Director

Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.