VMware has published a security advisory for a critical vulnerability (CVE-2022-22954), warning about the possibility of a threat actor with network access triggering a server-side template injection that results in Remote Code Execution (RCE) in VMware Workspace One Access and VMware Identity Manager products. VMware has released security updates for the affected products and workaround instructions to help address the risk for deployments that administrators can’t immediately update. At the same time, it underlined the importance of addressing the vulnerability: “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious.” This week, numerous security researchers created working exploits for CVE-2022-22954, with at least one proof-of-concept exploit published on Twitter. While releasing public exploits raises the risks that threat actors will exploit them in attacks, they are also meant to help secure systems through testing and serve as validators of existing fixes/patches. Today, threat actors are actively scanning for vulnerable hosts, with cybersecurity intelligence firm Bad Packets telling reporters that they are detecting attempts to exploit the vulnerability in the wild. The IP address used in the payload, 22.214.171.124, was recently seen dropping the Linux Tsunami backdoor in other attacks. Security researcher Daniel Card also shared on Twitter that the vulnerability was being exploited to drop coin miner payloads, commonly the first attacks seen when threat actors target a new vulnerability. Some of these threat actors are then closing the vulnerability once they gain control of the server. Card told reporters that we would likely see ransomware gangs begin to utilize the exploit soon to spread laterally within networks.
Due to its active exploitation, it is extremely urgent to apply the VMware security updates or mitigations as soon as possible. For users of VMware products, it is worth noting that the vendor’s advisory lists several high severity flaws apart from the aforementioned RCE vulnerability, which affect additional products besides Workspace One Access and Identity Manager, so ensure these products are also using the latest available version.