Skip to content

Daily Threat Intel

Menu
  • Vulnerabilities
  • Malware
  • Breaches
  • Enterprise
  • Supply Chain
  • Emerging Threats
  • Cloud
  • About us
Menu

Attackers actively exploiting VMware flaw that CISA deemed as posing “unacceptable risk” in May

Posted on October 21, 2022

Multiple campaigns are using CVE-2022-22954 to drop ransomware, coin miners and Mirai [299 words].

What: Multiple malicious campaigns are actively targeting a previously disclosed and now patched remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Researchers from Fortinet’s FortiGuard Labs on Thursday said they had observed threat actors exploiting the vulnerability to deploy Mirai botnet malware as well as RAR1 ransomware payloads and the GuardianMiner cryptocurrency mining tool on exposed systems. The vulnerability stems from a lack of input sanitization on the “deviceUdid” and “devicetype” parameters. Malicious actors with network access can leverage the vulnerability to trigger a server-side template injection that could lead to remote code injection,

Why it matters: The US Cybersecurity and Infrastructure Security Agency (CISA) had issued an emergency directive over the same vulnerability on May 18th over concerns that it posed an “unacceptable risk” to federal agencies. At the time, CISA had warned about multiple threat actors including potentially advanced persistent threat groups abusing the flaw to execute arbitrary code on affected systems. CISA said that in some attacks, threat actors were observed chaining CVE-2022-22954 with another privilege escalation bug in VMware Workspace ONE Access, Identity Manager and vRealize Automation tracked as CVE-2022-22960. In one incident, an unauthenticated attacker used CVE-2022-22954 to execute an arbitrary shell command in the context of the VMware use and then exploited CVE-2022-22960 to escalate the user’s privileges to root. The actor used the access to wipe logs, escalate permissions, and move laterally, CISA had warned.

CISA added CVE-2022-29954 to its Known Exploited Vulnerabilities catalog on April 14. Federal agencies had until May 5th to address the issue.

Details:

Fortinet report

Patch instructions for CVE-2022-22954

CISA alert

CISA emergency directive

Share
  • 12 Bugs in Microsoft’s April 2025 Update to Patch Now
  • NSA, CISA, Others Warn About Fast Flux Threat: Here’s Why
  • Max Severity Bug Affects MITRE Caldera Adversary Emulation Platform
  • FBI: Russia’s APT29 May Exploit These 24 vulnerabilities-Be Aware
  • Ivanti’s New 0-Days Now in CISA’s Exploit Catalog
©2025 Daily Threat Intel | Design: Newspaperly WordPress Theme