Hackers Are Actively Attacking Vulnerabilities in VMware Products

vulnerabilities in VMware products
Written by Emma Davis

Experts have warned that alleged government hackers are actively exploiting two vulnerabilities in VMware (both rated 9.8 out of 10 on the CVSS scale) in the hope of infecting corporate networks with backdoors and other malware.

Back in April of this year, VMware experts discovered and fixed the RCE vulnerability CVE-2022-22954, as well as the privilege escalation vulnerability CVE-2022-22960.

Also, let me remind you that we reported that RCE vulnerability in VMware vCenter is already under attack, and also that VMware fixes critical vulnerabilities in Carbon Black App Control.

According to a security bulletin released this week by the U.S. Infrastructure and Cyber Security Agency (CISA), the hackers were able to reverse both patches and create exploits in less than 48 hours, and then proceeded to attack the vulnerabilities.

After compromising a vulnerable device, attackers use the obtained root access to install the Dingo J-spy web shell. It is known that at least three unnamed organizations have already suffered from such attacks.

According to the CISA, APT groups, who are well-funded and technically advanced hackers who are usually behind the governments of various countries, are most likely responsible for these attacks.

According to reports from trusted third parties, attackers can chain these vulnerabilities. In one organization compromised on April 12, 2022, an unauthorized attacker with network access to the web interface used CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The attacker then used CVE-2022-22960 to elevate privileges to root. With root access, he was able to erase logs, was able to get more permissions and move to other systems.the CISA warning reads.

Also this week, VMware warned customers to immediately fix another critical authentication bypass vulnerability “affecting local domain users” that can be used to gain administrative privileges. The vulnerability received the identifier CVE-2022-22972.

Another bug that was fixed this week is CVE-2022-22973 and can be used for local privilege escalation. Using this problem, attackers can elevate their rights to the root level.
The full list of VMware products affected by the latest vulnerabilities includes:

  1. VMware Workspace ONE Access;
  2. VMware Identity Manager (vIDM);
  3. VMware vRealize Automation (vRA);
  4. VMware Cloud Foundation;
  5. vRealize Suite Lifecycle Manager.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply