Security Experts:

Connect with us

Hi, what are you looking for?



VMware Patches Critical Flaw in Workspace ONE UEM Console

VMware on Thursday announced the release of patches for a critical server-side request forgery (SSRF) vulnerability in Workspace ONE UEM console.

VMware on Thursday announced the release of patches for a critical server-side request forgery (SSRF) vulnerability in Workspace ONE UEM console.

An attacker could exploit the flaw to access sensitive data in the management console, VMware says. Tracked as CVE-2021-22054, the security error carries a CVSS score of 9.1.

To exploit the vulnerability, an attacker needs to have network access to UEM, so they can send unauthenticated requests and trigger the bug.

The vulnerability was reported privately to the cloud computing and virtualization technology company, and both patches and workarounds have been released to address it.

CVE-2021-22054 was fixed with the release of VMware Workspace ONE UEM console versions,,, and VMware Workspace ONE UEM patch and above also address the bug.

VMware also says it has mitigated the issue for VMware-hosted Workspace ONE consoles and notes that some workarounds are available for on-premises installations.

“The issue has been mitigated across all SaaS environments through infrastructure changes which will remain in place until VMware Cloud Operations has deployed the necessary patches,” VMware says.

Organizations that cannot patch their on-premises environments can find available workarounds in a support article. The workaround was designed to block access to a specific endpoint when the request includes a ‘url’ query parameter, thus removing the possibility of exploitation.

Related: VMware Patches File Read, SSRF Vulnerabilities in vCenter Server

Related: VMware Working on Patches for Serious vCenter Server Vulnerability

Related: VMware Calls Attention to High-Severity vCenter Server Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.