Try in Splunk Security Cloud


Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • Last Updated: 2022-05-19
  • Author: Michael Haag, Splunk
  • ID: d6d51cc2-a092-43b7-9f61-1159943afe39


On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) -, - and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.


Name Technique Type
VMware Server Side Template Injection Hunt Exploit Public-Facing Application, External Remote Services Hunting
VMware Workspace ONE Freemarker Server-side Template Injection Exploit Public-Facing Application, External Remote Services Anomaly


source | version: 1