On Wednesday, April 6, 2022, VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.

In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities.

Affected Products:

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
VulnerabilityCVE Identifier
Server-side Template Injection Remote Code ExecutionCVE-2022-22954
OAuth2 ACS Authentication BypassCVE-2022-22955, CVE-2022-22956
JDBC Injection Remote Code ExecutionCVE-2022-22957, CVE-2022-22958
Cross Site Request ForgeryCVE-2022-22959
Local Privilege EscalationCVE-2022-22960
Information DisclosureCVE-2022-22961


Comments are closed