Cyber Resilience

CVE-2022-31678

Critical

Published: 28 October 2022

Published
28 October 2022
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.8393 99.3th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31678 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Vmware Cloud Foundation. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

VMware Cloud Foundation (NSX-V) on VCF 3.x instances contains an XML External Entity (XXE) vulnerability tracked as CVE-2022-31678 and CWE-611. The flaw resides in the NSX-V component and received a CVSS 3.1 score of 9.1, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply malicious XML to trigger the XXE condition, resulting in either a denial-of-service state or disclosure of sensitive information from the affected VCF deployment. The published EPSS score currently stands at 0.8393 with a recorded peak of 0.8596, indicating sustained exploitation interest since disclosure.

The official VMware advisory VMSA-2022-0027 provides mitigation guidance and is available at the reference URL listed for the CVE.

EU & UK References

Vulnerability details

VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
≤ 3.11
vmware
nsx data center
≤ 6.4.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References