CVE-2024-22248 Overview
CVE-2024-22248 is an open redirect vulnerability [CWE-601] in VMware SD-WAN Orchestrator. The flaw stems from improper path handling in the application, allowing an attacker to craft a URL that redirects a victim to an attacker-controlled domain. Successful exploitation requires user interaction, typically through clicking a malicious link. The redirect can be used to harvest credentials, deliver malware, or expose sensitive information.
Critical Impact
A network-based attacker can redirect authenticated SD-WAN Orchestrator users to attacker-controlled domains, enabling phishing campaigns and sensitive information disclosure against organizations operating VMware SD-WAN infrastructure.
Affected Products
- VMware SD-WAN Orchestrator (refer to VMware Security Advisory VMSA-2024-0008 for affected versions)
Discovery Timeline
- 2024-04-02 - CVE-2024-22248 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-22248
Vulnerability Analysis
The vulnerability is classified as an open redirect [CWE-601] in the VMware SD-WAN Orchestrator web interface. SD-WAN Orchestrator is the centralized management plane used by administrators to configure and monitor VMware SD-WAN deployments. The application fails to validate user-supplied path or URL parameters before issuing an HTTP redirect response.
An attacker constructs a URL that points to a legitimate Orchestrator hostname but encodes an external destination within a vulnerable redirect parameter. When the victim follows the link, the Orchestrator returns a redirect to the attacker-controlled domain. Because the initial domain belongs to a trusted enterprise system, the request bypasses common URL-based trust heuristics.
The Exploit Prediction Scoring System (EPSS) currently rates this issue at 0.385%, reflecting limited observed exploitation activity. No public proof-of-concept is associated with the CVE at this time.
Root Cause
The root cause is improper path handling within the Orchestrator's redirect logic. The application accepts attacker-influenced input as a destination URL and uses it in an HTTP Location header without restricting the target to internal hosts or an allowlist of approved domains.
Attack Vector
Exploitation occurs over the network and requires the victim to interact with a crafted link. An attacker hosts a phishing page or malware loader on an external domain, then distributes an Orchestrator URL embedding that domain. After the redirect fires, the victim's browser loads attacker content while session context from the original Orchestrator domain may be exposed through referer headers or token leakage.
For technical specifics and affected build numbers, refer to the VMware Security Advisory VMSA-2024-0008.
Detection Methods for CVE-2024-22248
Indicators of Compromise
- HTTP responses from the Orchestrator containing Location headers pointing to external, non-VMware domains.
- Inbound requests to Orchestrator URLs containing encoded external hostnames in path or query parameters.
- User reports of unexpected redirects from the Orchestrator login or management URLs to unfamiliar sites.
Detection Strategies
- Inspect web server and proxy logs for Orchestrator redirect responses (HTTP 301, 302, 307) that resolve to domains outside the organization's approved list.
- Correlate Orchestrator access logs with DNS and proxy telemetry to identify users following links into untrusted infrastructure shortly after touching the Orchestrator.
- Apply web application firewall (WAF) signatures that flag external URLs embedded in redirect-bearing query parameters targeting the Orchestrator.
Monitoring Recommendations
- Centralize Orchestrator access logs and review redirect traffic patterns for anomalies.
- Alert on phishing emails that reference the Orchestrator hostname combined with long encoded query strings.
- Monitor authentication events that occur on external domains immediately after Orchestrator interaction, which may indicate credential capture attempts.
How to Mitigate CVE-2024-22248
Immediate Actions Required
- Apply the fixes referenced in VMware Security Advisory VMSA-2024-0008 to all VMware SD-WAN Orchestrator instances.
- Restrict Orchestrator administrative access to trusted networks and VPN endpoints to reduce phishing exposure.
- Notify Orchestrator users about the risk of crafted links and reinforce verification of redirect destinations before entering credentials.
Patch Information
VMware released fixed versions as documented in VMSA-2024-0008. Administrators should consult the advisory for the specific patched build numbers applicable to their deployment and follow VMware's upgrade procedures for the Orchestrator component.
Workarounds
- Place the Orchestrator behind a reverse proxy or WAF that enforces strict redirect validation and strips external Location targets.
- Implement DNS or proxy-based egress filtering so that user browsers cannot reach unapproved domains during Orchestrator workflows.
- Train administrators to access the Orchestrator through bookmarks rather than emailed or chat-delivered links until patching is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

