Overview of cve-2022-22954

RCE Vulnerability: VMware Workspace ONE

Advanced threat actors are currently exploiting a critical remote code execution (RCE) vulnerability due to a server-side template injection, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager. The vulnerability was addressed on April 6, 2022, and a patch was issued, however, by April 13, 2022, a proof of concept (PoC) exploit code was published – allowing attackers to target vulnerable systems. The vulnerability has been given a CVSSv3 score of 9.8. 

VMware is cloud computing and virtualization platform used by 500,000 organizations and their Workspace ONE Access software provides multi-factor authentication and single-sign-on to SaaS, as well as mobile apps.  

An Iranian cyber espionage group named Rocket Kitten has already begun to exploit CVE-2022-22954. According to VMware, attackers can bypass the authentication mechanism in VMware Workspace ONE Access and Identity Manager and execute any operation due to exposed endpoints in the authentication framework. Before reports regarding Rocket Kitten were published, the researchers at Morphisec Labs believed that the threat actors exploiting the vulnerability were APTs due to indicators of a sophisticated Core Impact backdoor. The tactics and techniques they discovered are common amongst APTs like Rocket Kitten.  

Impacted versions:  

  • VMware Workspace ONE Access Appliance  
    • 21.08.01
  • VMware Identity Manager Appliance  
    • 3.3.6 
    • 3.3.5
    • 3.3.4
    • 3.3.3 

According to Morphisec Labs, CVE-2022-22954 is a server-side template injection and it affects an Apache Tomcat component, which allows for malicious commands to be executed on the hosting server. Morphisec has also detected PowerShell commands executed as child processes to Tomcat “prunsr.exe” process application. If an attacker is successful and gains access, they can achieve full remote code execution against VMware’s identity access management.  

With this new vulnerability, attackers can deploy ransomware or coin miners for initial access, lateral movement, or privilege escalation. Threat actors were also observed launching reverse HTTPS, such as Metasploit and Cobalt Strike. If the attacker has privileged access, they can bypass defenses, including antivirus and endpoint detection and response.  

Because many threat actors are exploiting CVE-2022-22954 and they don’t need administrative access to do so, it’s important to implement VMware’s patch. The company has also issued workarounds for the vulnerability which you can find below. Patching is one of the best ways to prevent threat actors from compromising your organization. Don’t wait until your organization is breached to take action.  


How Avertium is Protecting Our Customers:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.  
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it's an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.   

Avertium's recommendations

  • If you can, you should apply VMware’s patch for CVE-2022-22954 as soon as possible.  
  • If you cannot apply VMware’s patch, please see VMware’s workaround instructions here. 
  • To reduce exploitation risks, review your VMware architecture, making sure that your affected components are not accidentally published on the internet.  



  • Stage 1: hxxp://138.124.184[.]220/work_443.bin_m2[.ps1] 
  • Stage 2: 746FFC3BB7FBE4AD229AF1ED9B6E1DB314880C0F9CB55AEC5F56DA79BCE2F79B 
  • Stage 3: 7BC14D231C92EEEB58197C9FCA5C8D029D7E5CF9FBFE257759F5C87DA38207D9 
  • C2 Server: 185.117.90[.]187 



Supporting documentation

VMSA-2022-0011 (vmware.com) 

Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw (darkreading.com) 

Hackers exploit critical VMware RCE flaw to install backdoors (bleepingcomputer.com) 

HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098) 

VMWare Identity Manager Attack: New Backdoor Discovered (morphisec.com) 



Related Reading:  Flash Notice: [CVE-2022-22965] Critical Zero-Day RCE Vulnerability Found in VMware's Spring Framework


Contact us for more information about Avertium’s managed security service capabilities. 

Chat With One of Our Experts

Vulnerability VMWare vulnerability vulnerability management RCE Remote Code Execution (RCE) vulnerabilities Zero-Day Vulnerability Flash Notice VMware Blog