Security researchers identified exploitation attempts for a week-old VMware Workspace ONE Access vulnerability. A malicious actor exploiting this vulnerability potentially gains an unlimited attack surface. Security breaches, ransom, brand harm, and lawsuits are all possible outcomes for affected organizations. The attack’s tactics, techniques, and procedures are similar to those utilized by groups like the Iranian-linked Rocket Kitten.
This new vulnerability is a server-side template injection that affects an Apache Tomcat component and executes a malicious command on the hosting server. A hostile actor with network access can exploit this vulnerability to acquire full remote code execution against VMware’s identity access management.
According to research, attackers are already exploiting this vulnerability to launch reverse HTTPS backdoors, mainly Cobalt Strike, Metasploit, or Core Impact beacons.. With privileged access, these sorts of attacks may be able to circumvent standard defenses such as antivirus (AV) and endpoint detection and response (EDR).
Security researchers have analyzed this new attack in detail below.
Another VMWare component, the VMWare Identity Manager service, is now exploited by threat actors. Several vulnerabilities have recently been reported, including CVE-2022-22957, CVE-2022-22958, and CVE-2022-22954.
Refer to VMware Security Advisory for the patch, upgrade or suggested workaround information.