VMware released software updates on Wednesday to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems. Tracked as CVE-2022-22951 and CVE-2022-22952, both flaws are rated 9.1 out of a maximum of 10 on the CVSS vulnerability scoring system. Credited with reporting the two issues is security researcher Jari Jääskelä. Successful exploitation of the vulnerabilities banks on the prerequisite that the attacker is already logged in as an administrator or a highly privileged user. VMware Carbon Black App Control is an application allow listing solution that is used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates. CVE-2022-22951 has been described as a command injection vulnerability that could enable an authenticated, high privileged actor with network access to the VMware App Control administration interface to “execute commands on the server due to improper input validation leading to remote code execution.” CVE-2022-22952, on the other hand, relates to a file upload vulnerability that could be weaponized by an adversary with administrative access to the VMware App Control administration interface to upload a specially crafted file and achieve code execution on the Windows instance.
The flaws affect Carbon Black App Control versions 8.5.x, 8.6.x, 8.7.x, and 8.8.x, and have been remediated in versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2. With unpatched VMware bugs becoming a lucrative attack vector, users are recommended to apply the updates to prevent potential exploitation.