CVE-2022-22966
Published: 14 April 2022
Summary
CVE-2022-22966 is a high-severity an unspecified weakness vulnerability in Vmware Vcloud Director. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-22966 is a remote code execution vulnerability affecting VMware Cloud Director. The flaw resides in the tenant and provider components and carries a CVSS 3.1 base score of 7.2, reflecting network-accessible attack vectors that require high privileges but no user interaction.
An authenticated actor possessing high privileges and network access to either the tenant or provider interface can exploit the issue to execute arbitrary code on the underlying server, thereby obtaining full access to the affected system.
The official VMware advisory VMSA-2022-0013, available at https://www.vmware.com/security/advisories/VMSA-2022-0013.html, supplies mitigation guidance and patch information for the affected product versions. The EPSS score reached a peak of 0.0993 and currently stands at 0.0639; this modest movement does not indicate a pronounced post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28087
Vulnerability details
An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.