Critical Authentication Bypass Vulnerability in VMware Products – CVE-2022-22972

Share :

On Wednesday, May 18, 2022, VMware published an advisory (VMSA-2022-0014) to address multiple vulnerabilities, including CVE-2022-22972, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

This vulnerability was assigned a CVSSv3 score of 9.8, making it a critical vulnerability. If successfully exploited, a threat actor with network access to a vulnerable appliance may be able to obtain administrative access without the need to authenticate. The exploitation of vulnerabilities like this is a common tactic used by ransomware groups after gaining initial footholds in victim networks.

While there is no known Proof of Concept (PoC) exploit code or observed exploitation in the wild for CVE-2022-22972, the Cyber Security and Infrastructure Agency (CISA) has indicated that similar types of vulnerabilities disclosed last month in the same VMware products quickly had exploits developed and used in attacks by threat actors within days of a patch being released. We assess that threat actors will move quickly to reverse engineer the patches for CVE-2022-22972 and develop exploits to use in targeted attacks such as ransomware.

We strongly recommend you review the below listing of affected VMware appliances and follow VMware’s patching or workaround guidance for any identified vulnerable appliances in your network with a priority focus on internet-facing appliances.

Impacted Appliances

Product Component 

Affected Version(s) 

VMware Guidance

VMware Workspace ONE Access Appliance 

  • 21.08.0.0
  • 21.08.0.1
  • 20.10.0.0
  • 20.10.0.1

VMware Identity Manager Appliance

  • 3.3.3
  • 3.3.4 
  • 3.3.5
  • 3.3.6

VMware Realize Automation 7.6

  • 7.6

References

Sule Tatar

Sule Tatar

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter