Exploit code created for CVE-2022-22972 critical auth bypass in VMware products

Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products.

Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately.

PoC to be released

In an advisory on May 18th, VMware warned that the security implications for leaving CVE-2022-22972 unpatched are severe as the issue is "in the critical severity range with a maximum CVSSv3 base score of 9.8," with 10 being the maximum.

The flaw affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation,. The company warns that attackers with access to the appliance interface can use it to bypass authentication to reach local domain users.

Security researchers at attack surface assessment company Horizon3 announced today that they managed to create a working proof-of-concept (PoC) exploit code for CVE-2022-22972 and will likely release a technical report at the end of the week.

They have not released any technical details yet but the plan includes publishing exploit code that demonstrates the attack vector.

As a tease for what's to come, Horizon3's Attack Team published a screenshot showing that they gained access to a VMware Workspace ONE instance, although no user was signed in through the web login interface.

Researchers create exploit for VMware vulnerability CVE-2022-22972
source: Horizon3 Attack Team

VMware Workspace ONE allows companies to manage user devices and applications (personal or company-owned) by integrating them into a digital environment. The platform also provides access control to allow users to access corporate resources securely.

Horizon3 told BleepingComputer that the technical details in their report will include an analysis of the current patch to show "how an attacker may have previously abused this code path."

While there is no public report of attacks in the wild leveraging this vulnerability, the researchers say that motivated attackers may have already developed an exploit and started using it.

The researchers said that it took them a week to develop the code and are planning to release a minimal version of it.

VMware recommends disabling all local users and administrators, leaving active only the provisioned users. However, this is only a workaround and it does not fully mitigate the risk of attackers exploiting CVE-2022-22972.

The severity of the vulnerability has been further highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in an emergency directive published on the same day VMware released the fix for CVE-2022-22972.

At the moment there is no public information that threat actors are exploiting this security flaw. Nevertheless, threat actors have shown in the past that they are quick to take advantage of issues shortly after updates appeared, and even more so, when technical details are revealed.

A set of critical vulnerabilities that VMware patched in April started to be exploited in the wild just 48 hours after the company released an alert and the corresponding fixes, to install cryptocurrency miners and backdoors.

Horizon3 previously released exploit code for CVE-2022-1388 - a critical vulnerability that allows remote code execution in F5 BIG-IP networking devices. Just like with the upcoming exploit release for the VMware vulnerability, the researchers strongly recommended admins to patch their vulnerable F5 appliances.

Update [May 24, 17:41 EST]: Article updated with details from Horizon3 received after publication.

Related Articles:

Exploit released for Fortinet RCE bug used in attacks, patch now

VMware urges admins to remove deprecated, vulnerable auth plug-in

Exploit released for Android local elevation flaw impacting 7 OEMs

Exploits released for Linux flaw giving root on major distros

Hackers earn $1,132,500 for 29 zero-days at Pwn2Own Vancouver