VMware Workspace One flaw actively exploited in the wild

A critical vulnerability in VMware's Workspace One is under active exploitation, the cloud software vendor said in a Wednesday security advisory update.

The vulnerability is CVE-2022-22954, a server-side template injection flaw capable of remote code execution. It affects Workspace One's Access and Identity Manager, part of Workspace One's larger IT management suite. The flaw was patched April 6 alongside seven others -- most of which were high or critical severity. Workarounds are also available.

Complete details about CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 and CVE-2022-22961 are available in VMware's security advisory.

What makes CVE-2022-22954 distinct from the other critical vulnerabilities is that on Wednesday, VMware updated its advisory to confirm that the vulnerability has been exploited in the wild. Earlier this week, multiple researchers published proofs of concept, or POCs, of the exploit on Twitter -- at least one of which is available in greater detail on GitHub.

Additionally, multiple threat intelligence providers have detected threat actor activity resulting from the flaw this week, including Bad Packets and GreyNoise Intelligence, as well as prominent threat researcher Daniel Card. Card tweeted Wednesday -- the same day VMware confirmed exploitation -- that cryptocurrency miners were being deployed, and to "expect ransomware soon."

We're seeing ~10 IPs exploiting the VMWare Workspace ONE RCE (CVE-2022-22954) at-scale across the internet in @GreyNoiseIO. FW Blocks + Tags available to all users and customers now. https://t.co/uvRpXl7QYf

Insanely quick work by @kimb3r__, #Konstantin, @_mattata, @nathanqthai pic.twitter.com/XEQOmWKg6C

— Andrew Morris (@Andrew___Morris) April 13, 2022

VMware also released a workaround for CVE-2022-22954. However, the vendor noted in a Q&A that the only way to fully remove the vulnerabilities is to patch them.

"Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not," the Q&A read. "While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue."

A VMware spokesperson shared the following statement with SearchSecurity: "VMware has updated our March 6 security advisory to confirm that exploitation of CVE-2022-22954 has occurred in the wild, and we continue to urge customers to apply the patches or workarounds provided in the advisory, VMSA-2022-0011. The security of our customers is a top priority, and VMware encourages customers to deploy our all our products in a security-hardened configuration and apply the latest product updates for their environment."

Alexander Culafi is a writer, journalist and podcaster based in Boston.