CVE-2022-22954
CVE-2022-22954 is a critical-severity vulnerability in Vmware Identity Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-04-14). The underlying weakness is classified as CWE-94.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-04-14)
- EU (EUVD) id: EUVD-2022-28077
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-04-14)
- Weakness: CWE-94
- Affected product: Vmware Identity Manager
- Published:
- Last modified:
Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
CVE-2022-22954: VMware Workspace ONE Access Server-Side Template Injection (SSTI)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2022-22954 |
| CWE | CWE-94: Code Injection |
| CVSS v3.1 | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS v2 | 10.0 — AV:N/AC:L/Au:N/C:C/I:C/A:C |
| EPSS | 0.99997 (99.988th percentile) |
| KEV | Yes — added 2022-04-14 |
| EU Exploited | Yes — EUVD-2022-28077, since 2022-04-14 |
| Published | 2022-04-11 |
| Assigner | [email protected] |
| References | VMSA-2022-0011, CISA KEV, Packet Storm |
Summary
CVE-2022-22954 is a critical server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access and Identity Manager. An unauthenticated attacker with network access can inject malicious template expressions into user-facing input fields, leading to arbitrary remote code execution on the underlying host. With a CVSS v3.1 score of 9.8 and active exploitation confirmed by CISA and the EU Vulnerability Database, this flaw demands immediate remediation.
Background
VMware Workspace ONE Access is an enterprise identity and access management platform that provides single sign-on (SSO), multi-factor authentication, and conditional access across SaaS, web, and native applications. Identity Manager is the on-premises deployment variant of the same technology stack. Both products rely on server-side templating engines to render dynamic content in web interfaces. Improper neutralization of user input within these templates creates an injection surface that can be weaponized for full system compromise.
Root Cause — CWE-94: Code Injection
The vulnerability stems from inadequate input validation and sanitization before user-supplied data is passed to a server-side template engine. Specifically, the application evaluates attacker-controlled input as template expressions rather than literal data. This is a classic instance of CWE-94: Code Injection. The templating engine's expression parser does not enforce a strict separation between template logic and user data, allowing an attacker to break out of the data context and execute arbitrary code within the template runtime. The resulting code execution inherits the privileges of the application server process, typically running with elevated or system-level permissions.
Impact
The CVSS v3.1 metrics paint a severe picture:
- Attack Vector (AV): Network — exploitable remotely without local access.
- Attack Complexity (AC): Low — no special conditions or race conditions required.
- Privileges Required (PR): None — fully unauthenticated.
- User Interaction (UI): None — no victim action needed.
- Scope (S): Unchanged — impact stays within the vulnerable component.
- Confidentiality (C), Integrity (I), Availability (A): All High.
An attacker can read sensitive configuration files, pivot laterally within the network, deploy ransomware, or establish persistent backdoors. The CVSS v2 score of 10.0 and EPSS of 0.99997 reflect both the ease of exploitation and the near-certainty of in-the-wild abuse.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: The following description is provided for defensive detection, network monitoring, and patch-verification purposes only. Do not use this information to attack systems without explicit authorization.
An attacker typically targets the authentication or self-service registration endpoints of Workspace ONE Access. The malicious payload is crafted as a server-side template expression (the exact syntax depends on the underlying engine, e.g., Freemarker, Velocity, or a custom VMware implementation). When the server renders the page, the template engine evaluates the expression, resulting in command execution. Common observable indicators include:
- Unexpected outbound connections from the Workspace ONE Access server to attacker-controlled infrastructure.
- Child process spawning under the Tomcat or service account (e.g.,
cmd.exe,powershell.exe, or/bin/sh). - File-system modifications in the web application directories or temporary folders.
- Anomalous HTTP POST requests to login or profile endpoints containing template-like delimiters (
${...},{{...}},<#...>).
Defenders should monitor web access logs for these patterns and correlate with process-creation telemetry on the host.
Affected and Patched Versions
The following products and versions are confirmed vulnerable based on CPE data from NVD:
- VMware Identity Manager: 3.3.3, 3.3.4, 3.3.5, 3.3.6
- VMware Workspace ONE Access: 20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1
- VMware vRealize Automation: 7.6
- VMware Cloud Foundation: all versions (advisory recommends patching)
- VMware vRealize Suite Lifecycle Manager: all versions (advisory recommends patching)
VMware released patches in VMSA-2022-0011. Administrators should consult the official advisory for the latest patch matrix and build numbers, as additional affected versions may have been identified since initial publication.
Remediation
- Patch immediately. Apply the updates listed in VMware Security Advisory VMSA-2022-0011. Prioritize internet-facing instances and any systems listed in the CISA KEV catalog.
- Compensating controls: If patching is not immediately feasible, restrict network access to the administrative and user portals using firewall rules, VPN enforcement, or WAF policies. Note that this does not eliminate the vulnerability—only reduces exposure.
- Disable unnecessary features: Turn off self-service registration or external identity-provider integrations if they are not required, as these may expose the vulnerable template-rendering paths.
- Review integrations: Ensure that downstream systems relying on Workspace ONE Access for authentication are not implicitly trusting tokens issued by a compromised instance.
Detection
- Network: Monitor for HTTP requests containing template-injection signatures (
${,{{,<#) in POST bodies to Workspace ONE Access endpoints. - Endpoint: Alert on child process creation by the Workspace ONE Access service account (e.g., Java/Tomcat spawning shells or scripting interpreters).
- Identity: Look for anomalous SSO token issuance, unexpected application assignments, or privilege-escalation events within the Workspace ONE directory.
- Threat-intelligence: Cross-reference external IP communications against known indicators of compromise (IOCs) associated with post-exploitation frameworks observed in KEV-related incidents.
Assessment
CVE-2022-22954 is a textbook example of why server-side template injection remains one of the most dangerous web-application vulnerability classes. The combination of unauthenticated access, low attack complexity, and high-impact outcome (full RCE) makes it an ideal target for mass exploitation. The EPSS of 0.99997 and inclusion in both the CISA KEV and EU vulnerability databases confirm that this is not a theoretical risk—it has been actively exploited in ransomware campaigns since April 2022.
Key lessons:
- Never trust user input in template contexts. All data bound to server-side templates must be treated as untrusted and escaped or sandboxed appropriately.
- Kinematic patching is essential. A three-day gap between disclosure and KEV listing (2022-04-11 to 2022-04-14) demonstrates how quickly attackers weaponize high-impact, unauthenticated RCE flaws. Organizations must have an emergency-patch process for critical infrastructure with internet exposure.
References
Frequently asked questions
- What is CVE-2022-22954?
- VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
- How severe is CVE-2022-22954?
- CVE-2022-22954 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-22954 being actively exploited?
- Yes. CVE-2022-22954 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-04-14, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-22954?
- CVE-2022-22954 primarily affects Vmware Identity Manager. In total, 11 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-22954?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-22954 have an EU (EUVD) identifier?
- Yes. CVE-2022-22954 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-28077. It is also flagged as exploited in the EUVD (since 2022-04-14).
- When was CVE-2022-22954 published?
- CVE-2022-22954 was published on 2022-04-11 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22954
Affected products (11)
- cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vrealize_automation:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:workspace_one_access:20.10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:workspace_one_access:20.10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:workspace_one_access:21.08.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:workspace_one_access:21.08.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:*:*:*:*:*:*:*:*
More vulnerabilities in Vmware Identity Manager
- CVE-2022-31657 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network…
- CVE-2022-31656 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22972 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22956 — Critical (CVSS 9.8): VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the…
- CVE-2022-22955 — Critical (CVSS 9.8): VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the…
- CVE-2021-22002 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be…
All CVEs affecting Vmware Identity Manager →
Other CWE-94 (Code Injection) vulnerabilities
- CVE-2026-57624 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.
- CVE-2026-10134 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read…
- CVE-2026-53576 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter…
- CVE-2026-10561 — Critical (CVSS 10.0): IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined…
- CVE-2026-25470 — Critical (CVSS 10.0): Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin…
- CVE-2026-48836 — Critical (CVSS 10.0): Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.