{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/identity-manager/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Identity Manager","Workspace ONE Access"],"_cs_severities":["critical"],"_cs_tags":["vmware","ssti","cve-2022-22954","template-injection"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis threat brief addresses potential exploitation attempts targeting CVE-2022-22954, a server-side template injection vulnerability affecting VMware Workspace ONE Access (Access) and Identity Manager (vIDM). This vulnerability allows a remote attacker to execute arbitrary code on the server. The attack is initiated through malicious HTTP GET requests containing specific parameters designed to exploit the template injection flaw. This activity is significant because successful exploitation can lead to complete system compromise, unauthorized access, and the execution of arbitrary commands, making it critical for defenders to identify and mitigate these attempts. The vulnerability was disclosed in early 2022, and proof-of-concept exploits are publicly available, increasing the risk of widespread exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable VMware Access or vIDM instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting a specific endpoint (potentially involving \u003ccode\u003edeviceudid\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious GET request includes payload strings such as \u003ccode\u003efreemarker.template.utility.ObjectConstructor\u003c/code\u003e or \u003ccode\u003ejava.lang.ProcessBuilder\u003c/code\u003e within the URL to trigger template injection.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application processes the crafted request without proper sanitization, interpreting the payload as a template instruction.\u003c/li\u003e\n\u003cli\u003eThe template engine executes the injected code, allowing the attacker to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to establish persistence, potentially by writing a backdoor to disk.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain root or SYSTEM access.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising other systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-22954 can lead to complete compromise of the affected VMware Access or vIDM server. This includes unauthorized access to sensitive data, the ability to execute arbitrary commands, and the potential for lateral movement within the network. Organizations using vulnerable versions of VMware products are at risk of data breaches, service disruption, and reputational damage. Public exploits have been developed, increasing the likelihood of widespread attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect VMware CVE-2022-22954 Exploitation Attempts\u003c/code\u003e to your SIEM to identify malicious HTTP GET requests (logsource: webserver, product: linux).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on systems accessing the affected VMware instances.\u003c/li\u003e\n\u003cli\u003eApply the official VMware patch for CVE-2022-22954 immediately to remediate the vulnerability (reference: \u003ca href=\"https://www.vmware.com/security/advisories/VMSA-2022-0011.html)\"\u003ehttps://www.vmware.com/security/advisories/VMSA-2022-0011.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual URL patterns containing \u003ccode\u003edeviceudid\u003c/code\u003e in combination with Java-related keywords, even if the Sigma rule does not trigger (logsource: webserver, product: linux).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T10:02:45Z","date_published":"2024-01-03T18:23:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-vmware-ssti/","summary":"An attacker attempts to exploit CVE-2022-22954, a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager, by sending a crafted HTTP GET request containing malicious parameters to achieve remote code execution.","title":"VMware Server-Side Template Injection Attempt (CVE-2022-22954)","url":"https://feed.craftedsignal.io/briefs/2024-01-vmware-ssti/"}],"language":"en","title":"CraftedSignal Threat Feed - Identity Manager","version":"https://jsonfeed.org/version/1.1"}