Exploitation for VMware Vulnerabilities (CVE-2022-22972 and CVE-2022-22973)


On May 18, 2022, VMware disclosed two vulnerabilities (CVE-2022-22972 and CVE-2022-22973) in VMware Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products. On the same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive (ED 22-03) and alert (AA22-138B) warning of threat actors chaining unpatched VMware vulnerabilities for full system control.

According to CISA, sophisticated threat actors previously reverse engineered two VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960) within 48 hours of their April 6 disclosure and then exploited them in the wild. CISA expects threat actors to quickly develop exploits for the May 18 vulnerabilities that impact the same VMware products.

By exploiting the May vulnerabilities, attackers could obtain administrative access without needing to authenticate (CVE-2022-22972) or could escalate privileges to ‘root’ (CVE-2022-22973). Exploitation of April vulnerability CVE-2022-22960 also enables privilege escalation, and CVE-2022-22954 can trigger a server-side template injection that could result in remote code execution.

Recommended actions:

We recommend that customers review the VMware advisory and apply updates as appropriate in their environments.


If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk


Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners