Crypto miners exploit VMware vulnerability in the wild
A critical vulnerability affecting VMware Workspace ONE Access and VMware Identity Manager allows malicious actors to remotely execute arbitrary code triggering server-side template injection. According to VMware, the vulnerability is actively exploited.
The vulnerability, which was notified as CVE-2022-22954, affects several versions VMware Workspace ONE Access and VMware Identity Manager, for which VMware has already provided patches.
Additionally, VMware has described workarounds which can be used as a temporary solution. However, workarounds may impact the functionality of affected products.
VMware does not rule out the possibility that alternative workarounds may be available, such as using a firewall to control the customer’s environment, but leaves the decision as to which measure to apply to customers.
All environments are different, have different risk tolerance, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions about how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action.
The vulnerability was originally reported by Steven Seeley from the Qihoo 360 Vulnerability Research Institute.
security researcher Map Daniel warned on Twitter that this vulnerability is being exploited in the wild by crypto miners and a new wave of ransomware attacks should be expected.
In addition to the patch for the VMware Workspace ONE Access and Identity Manager RCE vulnerability, VMware has also released patches for seven other vulnerabilities affecting VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.