CVE-2022-22948 Overview
CVE-2022-22948 is an information disclosure vulnerability in VMware vCenter Server caused by improper file permissions [CWE-276]. An authenticated attacker with non-administrative access to the vCenter Server can read files containing sensitive information that should be restricted to privileged accounts. The flaw affects vCenter Server 6.5, 6.7, and 7.0, as well as VMware Cloud Foundation deployments that bundle the affected vCenter versions. CISA added this CVE to the Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild.
Critical Impact
A low-privileged authenticated user can extract sensitive vCenter configuration data, potentially harvesting credentials or session material that enables lateral movement and full takeover of the virtualization fabric.
Affected Products
- VMware vCenter Server 6.5 (all listed patch levels through Update 3q)
- VMware vCenter Server 6.7 (all listed patch levels through Update 3o)
- VMware vCenter Server 7.0 (all listed patch levels through Update 3c) and VMware Cloud Foundation
Discovery Timeline
- 2022-03-29 - CVE-2022-22948 published to NVD alongside VMware advisory VMSA-2022-0009
- 2025-10-31 - Last updated in NVD database
Technical Details for CVE-2022-22948
Vulnerability Analysis
The vulnerability resides in how vCenter Server applies filesystem permissions to certain server-side files. Files that should be readable only by administrative or service accounts are accessible to lower-privileged authenticated users. An attacker who has obtained any non-administrative vCenter account can read these files over the network and harvest data that supports further attacks.
CISA's inclusion of CVE-2022-22948 in the KEV Catalog confirms that threat actors have weaponized the flaw against production vCenter environments. The EPSS data reflects this exposure, placing the CVE in the upper percentile of CVEs by predicted exploitation likelihood.
Root Cause
The root cause is incorrect default permissions [CWE-276] on specific files written by vCenter Server. The discretionary access control entries assigned at install or upgrade time grant read access to identities that should not have it. Because vCenter consolidates inventory, identity, and configuration data, the exposed files can include material useful for privilege escalation.
Attack Vector
Exploitation is performed over the network against an authenticated session. The attacker first authenticates to vCenter with any valid, non-administrative account, then requests or retrieves the misprotected files using normal API or filesystem-exposed paths. No user interaction is required beyond the attacker's own actions, and no additional privilege escalation step is needed to read the files. Disclosed contents can be used to pivot toward administrative access, ESXi host compromise, or guest virtual machine takeover.
No public proof-of-concept is published in the referenced advisories. See the VMware Security Advisory VMSA-2022-0009 for vendor technical details.
Detection Methods for CVE-2022-22948
Indicators of Compromise
- Authenticated vCenter sessions from low-privileged accounts accessing files or API endpoints outside their normal operational scope.
- Outbound transfer of vCenter configuration artifacts to workstations not used for vSphere administration.
- Reuse of credentials or tokens harvested from vCenter against ESXi hosts or Active Directory shortly after a non-admin vCenter login.
Detection Strategies
- Inspect vCenter audit logs (/var/log/vmware/vpxd/, /var/log/vmware/sso/) for non-administrative principals reading sensitive configuration files or invoking unexpected API paths.
- Baseline normal API and file-access behavior per vCenter role and alert on deviations, especially read access by accounts that historically perform only inventory or read-only operations.
- Correlate vCenter authentication events with subsequent ESXi host logins or Active Directory privilege changes to catch credential reuse stemming from disclosed data.
Monitoring Recommendations
- Forward vCenter, SSO, and ESXi logs to a centralized analytics platform and retain them long enough to investigate slow-burn credential abuse.
- Monitor for new or unexpected vCenter local accounts, role bindings, and permission changes following any suspected exploitation.
- Track access to backup files, certificate stores, and database dumps generated by vCenter, since these are common targets when permissions are misapplied.
How to Mitigate CVE-2022-22948
Immediate Actions Required
- Apply the fixed vCenter Server builds listed in VMware Security Advisory VMSA-2022-0009 to all 6.5, 6.7, and 7.0 deployments.
- Update VMware Cloud Foundation to a release that ships the patched vCenter Server version.
- Audit and reduce the number of non-administrative vCenter accounts and remove any that are no longer required.
- Rotate credentials, API tokens, and certificates that may have been exposed on affected vCenter hosts prior to patching.
Patch Information
VMware released fixed builds for vCenter Server 6.5, 6.7, and 7.0 in VMSA-2022-0009. VMware Cloud Foundation customers must apply the corresponding async patch that bundles the fixed vCenter version. Refer to the vendor advisory for the exact target builds aligned with your current deployment.
Workarounds
- No official workaround is published; VMware lists patching as the resolution in VMSA-2022-0009.
- As a compensating control, restrict network reachability of vCenter management interfaces to a hardened administrative network segment.
- Enforce least privilege by removing standing non-administrative roles and requiring just-in-time elevation for read access to vCenter.
# Verify the running vCenter Server build against the fixed builds in VMSA-2022-0009
vpxd -v
# Example: list local OS accounts that can authenticate to the vCenter appliance
login as: root
cat /etc/passwd | awk -F: '$3>=1000 {print $1}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

