This is a new server-side template injection vulnerability that affects an Apache Tomcat component, resulting in a malicious command being executed on the hosting server. Morphisec has discovered PowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application as part of the attack chain. This vulnerability can be exploited by threat actors with network access to obtain full remote code execution against VMware’s identity access management. According to Morphisec, attackers have previously exploited this vulnerability to launch reverse HTTPS backdoors using Cobalt Strike, Metasploit, or Core Impact beacons. These types of attacks may be able to bypass common defenses such as Anti-Virus (AV) or Endpoint Detection and Response (EDR). Users of VMWare’s identity and access management solution should deploy the patches as soon as possible. Virtual patching should be considered by organizations that are unable to apply the patch(es) immediately. Customers using VMware should also review their VMware infrastructure to ensure that the impacted components are not accidentally published on the internet, which increases the risk of exploitation.

https://blog.morphisec.com/vmware-identity-manager-attack-backdoor