When VMware announced patches for a critical vulnerability on May 18, users were warned that exploitation in the wild would likely start soon, and now a proof-of-concept (PoC) exploit targeting the flaw has been made public.
The vulnerability, tracked as CVE-2022-22972, affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. It allows a malicious actor who has network access to the UI to bypass authentication.
Shortly after VMware released patches, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors would “quickly develop a capability to exploit CVE-2022-22972,” as well as CVE-2022-22973, a privilege escalation fixed with the same round of patches.
Penetration testing company Horizon3.ai on Thursday published a technical deep dive for CVE-2022-22972 and made public a PoC exploit. VMware has updated its initial advisory to inform customers about the availability of a PoC, which further increases the chances of exploitation.
In fact, threat intelligence company GreyNoise reported on Friday that it’s already seeing scans for vulnerable systems.
Horizon3.ai, which described CVE-2022-22972 as a “relatively simple Host header manipulation vulnerability,” said a motivated attacker would not have difficulties developing an exploit.
“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet,” the company said. “Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.”
When the vulnerability came to light, CISA issued an emergency directive instructing federal agencies to patch CVE-2022-22972 and CVE-2022-22973 by May 23, or remove affected instances from their network until a patch can be applied.
The products affected by CVE-2022-22972 and CVE-2022-22973 are also impacted by CVE-2022-22954 and CVE-2022-22960, which have been exploited in the wild — both separately and chained — by multiple threat groups since early April.
Related: VMware Confirms In-the-Wild Exploitation of vCenter Server Vulnerability
Related: Critical Code Execution Flaw Haunts VMware Cloud Director
Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
- Dish Ransomware Attack Impacted Nearly 300,000 People
Latest News
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Security Pros: Before You Do Anything, Understand Your Threat Landscape

