Threat Watch

Iranian Hacking Group Exploiting Recently Disclosed VMware Vulnerability

Morphisec, a company defending against evasive polymorphic threats, discovered exploitation attempts for a week-old Remote Code Execution (RCE) vulnerability in VMware Workspace ONE Access/Identity Manager on April 14 and 15. Based on signs of a sophisticated Core Impact backdoor, Morphisec believes that the Iranian-linked hacking group called Rocket Kitten is behind those attacks. Over 500,000 organizations worldwide use VMWare. Hackers exploiting the RCE vulnerability can potentially gain the highest privileged access to any components of the virtualized host and guest environment.


This is a new server-side template injection vulnerability that affects an Apache Tomcat component, resulting in a malicious command being executed on the hosting server. Morphisec has discovered PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application as part of the attack chain. This vulnerability can be exploited by threat actors with network access to obtain full remote code execution against VMware’s identity access management. According to Morphisec, attackers have previously exploited this vulnerability to launch reverse HTTPS backdoors using Cobalt Strike, Metasploit, or Core Impact beacons. These types of attacks may be able to bypass common defenses such as Anti-Virus (AV) or Endpoint Detection and Response (EDR). Users of VMWare’s identity and access management solution should deploy the patches as soon as possible. Virtual patching should be considered by organizations that are unable to apply the patch(es) immediately. Customers using VMware should also review their VMware infrastructure to ensure that the impacted components are not accidentally published on the internet, which increases the risk of exploitation.