More VMware Workspace One Vulns

This is a fast publish

Vmware just released patches for two new vulnerabilities in Workspace One, followed by guidance from CISA to patch by May 23rd or remove the devices from the network/internet!

“All Federal Civilian Executive Branch agencies must complete the following actions:

By 5:00 PM EDT on Monday, May 23, 2022:

Enumerate all instances of impacted VMware products [VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency networks.

 For all instances of impacted VMware products enumerated in the required action (1) above:

 Deploy updates per VMware Security Advisory VMSA-2022-0014 available here


 Remove from the agency network until update can be applied.

Where updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks.”

Shodan Queries

List of CVEs of concern

  • CVE-2022-22954
  • CVE-2022-22960
  • CVE-2022-22972
  • CVE-2022-22973

CISA Guidance
Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA

Emergency Directive 22-03 | CISA

CVE-2022-22954 POC

GitHub – tunelko/CVE-2022-22954-PoC: VMware Workspace ONE Access and Identity Manager RCE via SSTI – Test script for shodan, file or manual.