Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-22982

CVE-2022-22982: VMware Cloud Foundation SSRF Vulnerability

CVE-2022-22982 is a server-side request forgery flaw in VMware Cloud Foundation's vCenter Server that allows attackers to access unauthorized URLs or internal services. This article covers technical details, affected versions, impact, and mitigation steps.

Updated:

CVE-2022-22982 Overview

CVE-2022-22982 is a server-side request forgery (SSRF) vulnerability in VMware vCenter Server. An attacker with network access to port 443 on the vCenter Server can coerce the server into issuing HTTP requests to arbitrary URLs or to internal services that should not be exposed externally. VMware disclosed the issue in advisory VMSA-2022-0018 and assigned the flaw a CVSS v3.1 base score of 7.5. The vulnerability also affects VMware Cloud Foundation deployments that bundle vCenter Server. Successful exploitation does not require authentication or user interaction, which lowers the bar for opportunistic abuse against internet-exposed management interfaces.

Critical Impact

Unauthenticated attackers with network access to port 443 can force vCenter Server to make arbitrary outbound or internal requests, enabling reconnaissance of internal services and exposure of confidential data.

Affected Products

  • VMware vCenter Server 6.5 (including update releases through 6.5 Update 3s)
  • VMware vCenter Server 6.7 (including update releases through 6.7 Update 3q)
  • VMware vCenter Server 7.0 (including update releases through 7.0 Update 3e) and VMware Cloud Foundation deployments containing vCenter Server

Discovery Timeline

  • 2022-07-13 - CVE-2022-22982 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-22982

Vulnerability Analysis

The flaw is classified under [CWE-918] Server-Side Request Forgery. vCenter Server exposes HTTPS endpoints on TCP port 443 that accept URL or resource parameters and dispatch requests on behalf of the caller. Because the server does not adequately validate or restrict the destination of those requests, an attacker can supply a crafted URL that points to systems other than the intended target. The server then issues the request from its own network position, often with privileged routing access to internal management subnets.

This class of SSRF is particularly impactful in virtualization management planes. vCenter typically resides on a trusted network segment alongside ESXi hosts, storage controllers, identity providers, and cloud management endpoints. An attacker reaching only the public HTTPS port of vCenter can use the SSRF primitive to probe these internal systems, fingerprint services, and retrieve responses returned to the vulnerable handler.

Root Cause

The root cause is insufficient validation of user-controlled URL or host inputs accepted by a request-issuing component on the vCenter Server HTTPS interface. The component constructs and dispatches the outbound request without enforcing an allowlist of permitted destinations, schemes, or address ranges. Internal addresses and metadata endpoints are therefore reachable through the proxying behavior.

Attack Vector

Exploitation requires only network reachability to port 443 on a vulnerable vCenter Server. The attacker sends a crafted HTTPS request whose parameters reference a target URL controlled by the attacker or an internal address inside the vCenter network. vCenter resolves and contacts the target, and the response data may be reflected back to the attacker. No credentials and no user interaction are needed.

No verified public proof-of-concept code is available for this issue. Refer to the VMware Security Advisory VMSA-2022-0018 for vendor technical context.

Detection Methods for CVE-2022-22982

Indicators of Compromise

  • Outbound HTTP or HTTPS connections originating from the vCenter Server appliance to unexpected external destinations.
  • vCenter access logs showing HTTPS requests on port 443 containing URL, host, or address parameters that reference internal RFC1918 ranges, loopback addresses, or cloud metadata endpoints.
  • Unusual DNS lookups from the vCenter appliance for attacker-controlled domains used as SSRF callbacks.

Detection Strategies

  • Inspect reverse proxy and application logs on vCenter for HTTP requests containing fully qualified URLs or IP addresses in query parameters or POST bodies.
  • Correlate inbound requests to vCenter port 443 with subsequent outbound requests from the appliance to detect request-forwarding patterns characteristic of SSRF.
  • Compare current outbound destination patterns against a baseline of legitimate vCenter integrations such as Update Manager, identity providers, and licensing services.

Monitoring Recommendations

  • Forward vCenter Server HTTPS access logs and appliance network flow data to a centralized analytics platform for retention and search.
  • Alert on any outbound connections from the vCenter appliance to internet destinations that are not part of an approved integration list.
  • Monitor for scans of internal management interfaces, ESXi hosts, and storage endpoints that originate from the vCenter Server IP address.

How to Mitigate CVE-2022-22982

Immediate Actions Required

  • Apply the fixed builds listed in VMware Security Advisory VMSA-2022-0018 for vCenter Server 6.5, 6.7, and 7.0, and for VMware Cloud Foundation deployments.
  • Restrict network access to vCenter Server port 443 to dedicated administrative networks and jump hosts; do not expose vCenter to the public internet.
  • Review vCenter access and audit logs for anomalous request patterns dating back to before the patch was applied.

Patch Information

VMware addressed CVE-2022-22982 in the fixed releases enumerated in VMSA-2022-0018. For VMware Cloud Foundation, apply the corresponding async patches that update the embedded vCenter Server components. Validate the build number after upgrade against the advisory's resolution matrix to confirm the fix is in place.

Workarounds

  • No vendor-supplied configuration workaround is listed in VMSA-2022-0018; patching is the supported remediation.
  • Place vCenter Server behind a management bastion or VPN and enforce strict allowlists on its inbound interface as a compensating control until patching completes.
  • Apply egress filtering on the vCenter appliance to deny outbound connections to networks and metadata endpoints that have no legitimate operational use.
bash
# Example egress allowlist concept for the vCenter appliance (illustrative)
# Permit only required outbound destinations and deny all other traffic.
iptables -A OUTPUT -d <update-server-ip> -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -d <identity-provider-ip> -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne