CVE-2022-22954 Overview
CVE-2022-22954 is a critical remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager products. The vulnerability exists due to improper handling of server-side template injection (SSTI), allowing a malicious actor with network access to execute arbitrary code on the target system. This vulnerability requires no authentication or user interaction, making it particularly dangerous for exposed VMware infrastructure.
Critical Impact
This vulnerability is actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Unauthenticated remote attackers can achieve complete system compromise through server-side template injection, potentially leading to data theft, lateral movement, and persistent access to enterprise environments.
Affected Products
- VMware Workspace ONE Access versions 20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1
- VMware Identity Manager versions 3.3.3, 3.3.4, 3.3.5, 3.3.6
- VMware vRealize Automation version 7.6
- VMware Cloud Foundation (multiple versions)
- VMware vRealize Suite Lifecycle Manager (multiple versions)
Discovery Timeline
- April 11, 2022 - CVE-2022-22954 published to NVD
- October 30, 2025 - Last updated in NVD database
Technical Details for CVE-2022-22954
Vulnerability Analysis
This vulnerability is classified as a Server-Side Template Injection (SSTI) flaw, falling under CWE-94 (Improper Control of Generation of Code). The vulnerability allows unauthenticated attackers with network access to inject malicious template expressions that are processed by the server-side template engine, resulting in remote code execution.
The attack can be executed remotely over the network without requiring any privileges or user interaction. Successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the affected service, potentially leading to complete system compromise. Given the enterprise deployment context of VMware Workspace ONE Access and Identity Manager as identity and access management solutions, exploitation could provide attackers with a strategic foothold for further attacks against connected systems and applications.
Root Cause
The root cause of this vulnerability lies in improper input validation and sanitization within the server-side template processing functionality. When user-controlled input is passed to the template engine without adequate filtering, attackers can inject template directives that are interpreted and executed by the server. This design flaw allows the template engine to process malicious expressions as legitimate code, bypassing intended security boundaries.
Attack Vector
The attack is executed over the network by sending specially crafted HTTP requests to vulnerable VMware Workspace ONE Access or Identity Manager endpoints. The attacker injects template expressions into parameters that are subsequently processed by the server-side template engine.
The exploitation flow follows these general steps:
- The attacker identifies a vulnerable VMware Workspace ONE Access or Identity Manager instance accessible over the network
- A malicious HTTP request containing template injection payload is crafted targeting vulnerable endpoints
- The server processes the request and passes the user-controlled input to the template engine
- The template engine interprets the injected expressions and executes the embedded commands
- Arbitrary code execution is achieved with the privileges of the web application service
For detailed technical analysis and proof-of-concept information, refer to the Packet Storm Security Report.
Detection Methods for CVE-2022-22954
Indicators of Compromise
- Unusual HTTP requests to VMware Workspace ONE Access or Identity Manager endpoints containing template syntax characters such as ${, #{, %{, or FreeMarker/Velocity expressions
- Unexpected child processes spawned by the VMware web application service (e.g., /bin/sh, bash, cmd.exe)
- Web server logs showing requests with encoded or obfuscated template injection payloads
- Network connections from VMware appliances to unexpected external hosts or command-and-control infrastructure
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block template injection patterns in HTTP request parameters
- Implement network intrusion detection signatures for known CVE-2022-22954 exploitation attempts
- Monitor VMware Workspace ONE Access and Identity Manager application logs for template parsing errors or exceptions
- Utilize endpoint detection and response (EDR) solutions to identify suspicious process execution chains originating from the VMware service
Monitoring Recommendations
- Enable verbose logging on VMware Workspace ONE Access and Identity Manager instances to capture detailed request information
- Implement centralized log aggregation and SIEM correlation rules for template injection attack patterns
- Configure alerts for any outbound network connections from VMware identity management appliances to non-whitelisted destinations
- Regularly audit system and application processes on affected servers for anomalous activity
How to Mitigate CVE-2022-22954
Immediate Actions Required
- Apply VMware security patches immediately as outlined in VMware Security Advisory VMSA-2022-0011
- Restrict network access to VMware Workspace ONE Access and Identity Manager administrative interfaces using firewall rules
- Implement network segmentation to limit exposure of identity management infrastructure
- Review system logs and network traffic for indicators of prior exploitation attempts
Patch Information
VMware has released security updates to address this vulnerability. Organizations should apply patches according to VMware Security Advisory VMSA-2022-0011. Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, federal agencies and critical infrastructure operators are required to remediate within specified timelines.
Affected versions requiring updates:
- VMware Workspace ONE Access: 20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1
- VMware Identity Manager: 3.3.3, 3.3.4, 3.3.5, 3.3.6
- VMware vRealize Automation: 7.6
Workarounds
- If immediate patching is not possible, place vulnerable VMware instances behind a reverse proxy with strict input validation rules
- Disable or restrict access to non-essential web interfaces and endpoints on affected systems
- Implement IP allowlisting to limit access to trusted administrative networks only
- Monitor for VMware-provided temporary mitigations or workarounds in the security advisory
# Example: Restrict network access to VMware Workspace ONE Access
# Add firewall rules to limit access to trusted networks only
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Verify VMware service status and review logs
systemctl status horizon-workspace
tail -f /opt/vmware/horizon/workspace/logs/catalina.out
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
