Security Advisory: Critical vulnerabilities in VMware
May 20, 2022
CVE(s) (if available): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961, CVE-2022-22972, CVE-2022-22973
In early April VMware released patches for remote code execution and authentication bypass vulnerabilities against multiple VMWare products, including VMware Workspace ONE Access, VMWare identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. Per VMware’s advisories(,) adversaries with network access to these appliances could lead to exploitation. The Cybersecurity & Infrastructure Security Agency (CISA) has released an Alert stating that a “trusted third party” has identified this vulnerability as being exploited in the wild. Publicly available Proof-of-Concept exploits are appearing on Github generating an even greater sense of urgency to patch vulnerable versions.
In The Wild – EnemyBot
Lacework Labs is actively monitoring their sensor network for opportunistic attackers leveraging the vulnerability and integrating appropriate IoCs within the Lacework product. At this time, Lacewok Labs has identified “Enemybot” targeting these CVEs as well as the recent remote code execution vulnerability within F5’s Big IP (CVE-2022-1388) line of products. Enemybot is the latest variant of Keksec’s DDOS malware and has been observed exploiting a host of other vulnerabilities including those for IoT devices.
Known Affected Software
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
At the time of this writing, this is currently an evolving story and Lacework Labs will be closely monitoring the situation. Following security advisories from VMware (,) and ensuring vulnerable hosts are monitored and patched