In April 2022, VMware patched CVE-2022-22954, a server-side template injection (SSTI) vulnerability in Workspace ONE Access (formerly VMware Identity Manager). The vulnerability allowed unauthenticated remote code execution with a single HTTP request. Within 48 hours of the patch release, proof-of-concept exploits were public. Within a week, mass exploitation was underway, with attackers deploying cryptominers, reverse shells, and persistent backdoors on vulnerable servers worldwide.
The Vulnerability
CVE-2022-22954 is a server-side template injection vulnerability in the /catalog-portal/ui/oauth/verify endpoint of VMware Workspace ONE Access. The endpoint processed user-supplied input through a FreeMarker template engine without proper sanitization.
Server-side template injection occurs when user input is embedded directly into a template that's processed server-side. If the template engine evaluates the input as code rather than text, the attacker can execute arbitrary expressions — and in most cases, arbitrary operating system commands.
The exploit was remarkably simple. A single HTTP GET request with a crafted deviceUdid parameter was all it took:
GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("id")}
This would execute the id command on the server and return the output. Replace id with any command, and you have full remote code execution as the VMware service account.
The CVSS score was 9.8. Unauthenticated, remote, no user interaction, high impact across confidentiality, integrity, and availability.
VMware Workspace ONE Access in Context
Workspace ONE Access is VMware's identity management and single sign-on platform. It authenticates users and manages access to applications across the enterprise. It integrates with Active Directory, LDAP, SAML, and OAuth providers. It's the gateway to corporate applications.
A compromised Workspace ONE Access server gives attackers:
- SSO token minting: The ability to generate valid authentication tokens for any user, including administrators
- Active Directory credentials: Integration credentials for AD/LDAP often stored in the server's configuration
- Session hijacking: Access to active user sessions across all integrated applications
- OAuth/SAML key material: The cryptographic keys used to sign authentication assertions
This isn't just another server compromise. It's a compromise of the trust anchor for the organization's identity infrastructure.
The Exploitation Timeline
April 6, 2022: VMware publishes advisory VMSA-2022-0011, patching CVE-2022-22954 along with several other vulnerabilities.
April 7, 2022: Security researchers begin analyzing the patch diff and identify the template injection vector.
April 8, 2022: Multiple proof-of-concept exploits are published on Twitter and GitHub.
April 11, 2022: Mass scanning and exploitation begins. Honeypots detect thousands of exploitation attempts per day.
April 13, 2022: CISA adds CVE-2022-22954 to its Known Exploited Vulnerabilities catalog.
April-May 2022: Multiple threat actors are observed exploiting the vulnerability for different purposes — cryptomining, ransomware staging, and espionage.
The patch-to-exploit timeline was approximately 48 hours. For organizations that couldn't patch within that window, the race was already lost.
Observed Attack Campaigns
Cryptomining Operations
The earliest and most widespread exploitation was for cryptocurrency mining. Attackers deployed XMRig miners on compromised Workspace ONE servers, taking advantage of the typically powerful hardware allocated to identity management infrastructure.
Reverse Shell and Backdoor Deployment
More sophisticated attackers deployed persistent backdoors using various techniques:
- Cobalt Strike beacons for command-and-control
- Custom web shells in VMware's web application directories
- Scheduled tasks and cron jobs for persistence
- SSH key injection for alternative access
Ransomware Pre-Staging
Several ransomware groups used compromised Workspace ONE servers as staging points for broader network compromise. The identity management server's privileged network position and stored credentials made it an ideal launchpad for lateral movement.
Nation-State Activity
APT groups were observed exploiting CVE-2022-22954 for targeted espionage operations. The access to identity infrastructure and authentication material made Workspace ONE servers particularly valuable for long-term intelligence collection.
The VMware Vulnerability Cluster
CVE-2022-22954 wasn't the only critical vulnerability patched in VMSA-2022-0011. The same advisory addressed:
- CVE-2022-22955/CVE-2022-22956: OAuth2 ACS authentication bypass vulnerabilities
- CVE-2022-22957/CVE-2022-22958: JDBC injection RCE vulnerabilities (authenticated)
- CVE-2022-22959: Cross-site request forgery
- CVE-2022-22960: Local privilege escalation
Some attackers chained CVE-2022-22954 with CVE-2022-22960 to achieve root access after initial exploitation. This combination was particularly effective because CVE-2022-22954 provided initial access as a service account, and CVE-2022-22960 escalated to root.
Why SSTI Vulnerabilities Keep Appearing
Server-side template injection has been a known vulnerability class for years, yet it continues to appear in enterprise software. The reasons are systemic:
Developer familiarity: Many developers don't fully understand how template engines process input. They treat templates as simple string formatting rather than code evaluation engines.
Framework defaults: Template engines like FreeMarker, Velocity, Thymeleaf, and Jinja2 are designed for flexibility and power. Their default configurations allow arbitrary code execution through template expressions.
Security review gaps: SSTI is harder to detect than SQL injection or XSS because the injection point and the execution context are different. Static analysis tools often miss it, and dynamic testing requires specific payloads for each template engine.
Legacy code: Many SSTI vulnerabilities exist in code that was written years ago, before SSTI was widely recognized as a vulnerability class. The code works correctly for its intended purpose and only becomes dangerous when an attacker provides unexpected input.
Remediation Steps
Immediate Actions
- Patch to the fixed version as specified in VMSA-2022-0011
- Check for indicators of compromise: Look for unexpected processes, web shells in VMware directories, new scheduled tasks, and unusual outbound network connections
- Rotate all credentials stored in Workspace ONE Access, including AD integration credentials, SAML/OAuth keys, and database credentials
- Review authentication logs for token minting activity that could indicate the attacker generated valid SSO tokens
Long-Term Hardening
- Restrict network access to Workspace ONE Access management interfaces
- Implement network-level monitoring for anomalous traffic patterns
- Deploy endpoint detection and response (EDR) on identity management servers
- Establish a rapid patching process for identity infrastructure components
How Safeguard.sh Helps
Safeguard.sh provides critical capabilities for managing vulnerabilities in identity infrastructure like VMware Workspace ONE:
- Rapid Vulnerability Detection: Safeguard.sh identifies vulnerable VMware versions in your environment within hours of CVE disclosure, enabling immediate remediation prioritization.
- Exploit Timeline Tracking: Safeguard.sh monitors the weaponization status of vulnerabilities, alerting you when PoC exploits become available and active exploitation is confirmed.
- Infrastructure Mapping: By maintaining a complete inventory of your software components, Safeguard.sh shows you every instance of affected VMware products, including those that might be overlooked in manual audits.
- Remediation Verification: After patching, Safeguard.sh confirms that the fixed version is actually running, preventing cases where failed patches leave systems exposed.
CVE-2022-22954 demonstrated that identity infrastructure is a prime target. Safeguard.sh helps ensure your identity management systems are patched, monitored, and secured.