Attackers are exploiting VMware RCE to deliver malware (CVE-2022-22954)

Cyber crooks have begun exploiting CVE-2022-22954, a RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to deliver cryptominers onto vulnerable systems.

About CVE-2022-22954

CVE-2022-22954 is, in effect, a server-side template injection vulnerability that can be triggered by a malicious actor with network access to achieve remote code execution.

It was reported to VMware privately and a fix and a workaround for it was released on April 6, along with fixes for seven other flaws in various VMware solutions.

CVE-2022-22954 is the most critical of the bunch, and VMware urged administrators to patch or mitigate it immediately, as “the ramifications of this vulnerability are serious.”

The warning was echoed earlier this week by NHS Digital, which noted that vulnerabilities in VMware products have been commonly targeted by ATP groups in the past.

“Multiple proof of concept (PoC) codes to exploit CVE-2022-22954 are now being publicly circulated and could be used to replicate the attack against an affected system,” the organization noted. “Due to the trivial nature of the PoC exploits, weaponisation of CVE-2022-22954 is more likely.”

And it came to that soon, as confirmed by Bad Packets and security researcher Daniel Card:

This is being exploited in the wild and crypto miners are being deployed#HUMINT
CVE-2022-22954#Vmware #Workspace Vulnerabilities

Expect #ransomware now/soon https://t.co/WlVy4EF9ZG

— MrR3b00t | #StandWithUkraine #DefendAsOne (@UK_Daniel_Card) April 13, 2022

Admins who haven’t yet implemented the fix or the offered mitigation are advised to get a move on.