CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2022-22954

CVSS 9.8v3.1pub. 2022-04-11upd. 2025-10-30

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linux Kernel

    APP
    Linux
    wszystkie wersje
  • VMware Cloud Foundation

    APP
    Vmware
    4.0 – 4.3.1
  • VMware Identity Manager

    APP
    Vmware
    3.3.33.3.43.3.53.3.6
  • VMware Vrealize Automation

    APP
    Vmware
    7.6
  • VMware Vrealize Suite Lifecycle Manager

    APP
    Vmware
    8.0 – 8.2
  • VMware Workspace One Access

    APP
    Vmware
    20.10.0.020.10.0.121.08.0.021.08.0.1

CISA KEV — detailsi

Vendori
VMware
Producti
Workspace ONE Access and Identity Manager
Added to KEVi
April 14, 2022
Remediation deadline (US Federal)i
May 5, 2022(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 5 maja 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-34028CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP

CVE-2025-22224CRITICAL9.3⚠ KEVPL ✓ten sam produkt

VMware ESXi/Workstation: TOCTOU umożliwia ucieczkę z VM przez VMX process

CVE-2024-38812CRITICAL9.8⚠ KEVPL ✓ten sam produkt

VMware vCenter Server — heap-overflow w DCERPC umożliwia RCE

CVE-2024-37079CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Heap overflow w VMware vCenter Server via protokół DCERPC — RCE