On Wednesday, 18 May 2022, VMware published an advisory (VMSA-2022-0014) to address multiple vulnerabilities, including CVE-2022-22972, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation.
This vulnerability was assigned a CVSSv3 score of 9.8, making it a critical vulnerability. If successfully exploited, a threat actor with network access to a vulnerable appliance may be able to obtain administrative access without the need to authenticate. The exploitation of vulnerabilities like this is a common tactic used by ransomware groups after gaining initial footholds in victim networks.
While there is no known Proof of Concept (PoC) exploit code or observed exploitation in the wild for CVE-2022-22972, the Cyber Security and Infrastructure Agency (CISA) has indicated that similar types of vulnerabilities disclosed last month in the same VMware products quickly had exploits developed and used in attacks by threat actors within days of a patch being released. We assess that threat actors will move quickly to reverse engineer the patches for CVE-2022-22972 and develop exploits to use in targeted attacks such as ransomware.
We strongly recommend you review the below listing of affected VMware appliances and follow VMware’s patching or workaround guidance for any identified vulnerable appliances in your network with a priority focus on internet-facing appliances.
Impacted Appliances
| Product Component | Affected Version(s) | VMware Guidance |
| VMware Workspace ONE Access Appliance |
|
https://kb.vmware.com/s/article/88438
https://kb.vmware.com/s/article/88433 |
| VMware Identity Manager Appliance |
|
|
| VMware Realize Automation 7.6 |
|
