Cyber Resilience

CVE-2022-22972

Critical

Published: 20 May 2022

Published
20 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9368 99.9th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-22972 is a critical-severity an unspecified weakness vulnerability in Vmware Cloud Foundation. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability that affects local domain users. The flaw permits an unauthenticated attacker to reach the product UI over the network and obtain administrative privileges, corresponding to a CVSS 3.1 base score of 9.8.

An attacker with network access to the affected user-interface endpoints can exploit the weakness without supplying credentials, resulting in full administrative control over the compromised instance. The attack requires no user interaction and no prior privileges.

VMware published advisory VMSA-2022-0014 to address the issue. The EPSS score for this CVE has remained consistently high, with a current value of 0.9368 and a recorded peak of 0.9376.

EU & UK References

Vulnerability details

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
identity manager
3.3.3, 3.3.4, 3.3.5, 3.3.6
vmware
vrealize automation
7.6
vmware
workspace one access
20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1
vmware
cloud foundation
3.0, 3.0.1, 3.0.1.1, 3.10, 3.10.1
vmware
vrealize suite lifecycle manager
8.0, 8.0.1, 8.1, 8.2, 8.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References