Ransomware Spotlight Report 2023 is live!

CVE-2022-22972: DHS CISA Directs Federal Agencies to Take Immediate Action Against VMware Bugs

Posted on May 25, 2022 | By Pavithra Shankar

Did you know that CSW’s Cyber Threat Intelligence captured CVE-2022-22972 as a high probability of being exploited 62 days before the CISA warning?

VMware released two security holes (CVE-2022-22972 & CVE-2022-22973) in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager on May 18, 2022. The more severe of all vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting local domain users, which could be exploited by malicious actors with network access to the UI to obtain administrative access without the need to authenticate.

On the same day, the U.S. Cybersecurity and Infrastructure Agency issued an emergency security directive over VMware vulnerabilities, which threat actors are likely to exploit. The directive demands all Federal Civilian Executive Branch entities to either apply the patch or remove impacted VMware installations from agency networks by May 24, 2022.

Likely to be Exploited

On May 26, 2022, Researchers at Horizon released PoC exploit for CVE-2022-22972 which can be used by bypassing authentication on vRealize Automation 7.6.

On April 6, 2022, VMware discovered two vulnerabilities in their systems and issued an update to fix these vulnerabilities: CVE 2022-22960 and CVE 2022-22954. Though VMware was able to release patches to fix this issue. Within a 48-hour window following the patch release, threat actors were able to reverse engineer the update and begin exploiting vulnerable VMware products that had not been patched.

CISA has also issued a cybersecurity advisory that includes IoCs, detection signatures, and incident response guidelines to assist administrators in detecting and responding to the active exploitation of CVE-2022-22954 and CVE-2022-22960.

Due to the sheer exploits of last month's VMware vulnerabilities, CISA anticipates that the threat actors will find a method to launch another exploit using the newly disclosed vulnerabilities as they are now familiar with the system.

Global Exposure 

525 devices could be potentially exposed to the Internet, in which the United States tops the list with 36%, followed by Germany with 6%.

Scanner Plugins

In terms of scanning plugins, popular scanners such as Nessus, Nexpose, and Qualys were able to detect the vulnerabilities.





















List of Affected Products

The complete list of VMware products impacted by these security bugs includes:

Product Component  


VMware Workspace ONE Access Appliance   

VMware Workspace ONE Access Appliance 

VMware Workspace ONE Access Appliance   

VMware Workspace ONE Access Appliance   

VMware Identity Manager Appliance 


VMware Identity Manager Appliance 


VMware Identity Manager Appliance 


VMware Identity Manager Appliance 


VMware at Unacceptable Risk, Patch Now!

CISA found that all of these security vulnerabilities constitute an unacceptable risk to federal agencies and has ordered that they fix them before May 24, 2022. Concerns over the growing attacker interest in zero days have prompted CISA to issue several security initiatives.

VMware infrastructure is widely deployed in data center and cloud environments, making it an attractive target for hackers. Cybercriminals scan for these types of vulnerabilities constantly and attempt to exploit targets before they have a chance to download a patch.

Therefore, we strongly recommend organizations to hop on patches and updates for popular platforms as soon as the vendor discloses it.


Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!


Secure your environment from cyber-attacks!

Know How