Cybercriminals have started to exploit CVE-2022-22954, an RCE vulnerability in VMware Workspace ONE Access and Identity Manager, to deliver cryptominers onto vulnerable systems.
CVE-2022-22954 is a server-side template injection vulnerability that can be triggered by an malicious actor with network access to achieve remote code execution.
It was privately reported to VMware, and a fix and workaround was released on April 6, along with fixes for seven other security vulnerabilities in VMware solutions.
The most critical of the lot is CVE-2022-22954, which VMware urged administrators to patch or mitigate right once since “the ramifications of this vulnerability are serious.”
The warning was reinforced earlier this week by NHS Digital, which stated that ATP groups have commonly targeted security vulnerabilities in VMware products.
And it came to that quickly, as Bad Packets and security researcher Daniel Card confirmed.
Admins who haven’t yet implemented the fix or the recommended mitigation should do so as soon as possible.