Cyber Resilience

CVE-2022-22966

High

Published: 14 April 2022

Published
14 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0639 91.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22966 is a high-severity an unspecified weakness vulnerability in Vmware Vcloud Director. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-22966 is a remote code execution vulnerability affecting VMware Cloud Director. The flaw resides in the tenant and provider components and carries a CVSS 3.1 base score of 7.2, reflecting network-accessible attack vectors that require high privileges but no user interaction.

An authenticated actor possessing high privileges and network access to either the tenant or provider interface can exploit the issue to execute arbitrary code on the underlying server, thereby obtaining full access to the affected system.

The official VMware advisory VMSA-2022-0013, available at https://www.vmware.com/security/advisories/VMSA-2022-0013.html, supplies mitigation guidance and patch information for the affected product versions. The EPSS score reached a peak of 0.0993 and currently stands at 0.0639; this modest movement does not indicate a pronounced post-disclosure increase in observed exploitation interest.

EU & UK References

Vulnerability details

An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vcloud director
10.1.0 — 10.1.4.1 · 10.2.0 — 10.2.2.3 · 10.3.0 — 10.3.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References