CVE-2021-22054

What is VMware/Omnissa Workspace ONE UEM?

Workspace ONE UEM (Unified Endpoint Management), formerly VMware AirWatch, is an enterprise mobility management (EMM) and endpoint management platform used by large organizations to manage mobile devices, laptops, and other endpoints across iOS, Android, Windows, and macOS. Workspace ONE UEM is a cloud-hosted or on-premises service that acts as a central management console for all employee devices. The product was rebranded from VMware to Omnissa after VMware's acquisition by Broadcom and the subsequent spinoff of the end-user computing business. As a management platform, Workspace ONE UEM has privileged access to device inventories, security policies, and application distribution across an organization.

Overview

CVE-2021-22054 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in Omnissa Workspace ONE UEM (formerly VMware Workspace ONE UEM). An unauthenticated attacker with network access to the UEM management interface can send specially crafted HTTP requests to cause the UEM server to make outbound requests to attacker-specified destinations. This enables access to internal network resources, cloud metadata endpoints, and sensitive configuration information that would otherwise be inaccessible to an external attacker. VMware addressed this in VMSA-2021-0029 in December 2021. CISA added it to KEV in March 2026 — over four years after initial publication — following confirmed exploitation in government and enterprise environments.

Affected Versions

Technical Details

The Workspace ONE UEM management console processes HTTP requests that include URLs for various integrations and health checks. These URL parameters are used by the server to make outbound connections without adequate validation:

• Root cause: Server-side request forgery (CWE-918) — the UEM console makes HTTP requests to URLs specified in attacker-controlled parameters without restricting the destination to trusted hosts
• No authentication required — the SSRF is triggerable from unauthenticated requests to specific UEM endpoints
• Information disclosure focus: CVSS shows Confidentiality: High with Integrity: None — the primary impact is reading sensitive data from internal network resources, not modifying them
• SSRF targets: Cloud metadata services (AWS IMDSv1: 169.254.169.254, Azure IMDS, GCP metadata), internal UEM database connection strings, LDAP/Active Directory credential configurations, and other internal services
• Attack Complexity: Low — the SSRF is straightforward to trigger without complex conditions

Discovery

Reported to VMware by external security researchers. VMware addressed this in VMSA-2021-0029 alongside other Workspace ONE UEM vulnerabilities. The four-year gap to KEV addition reflects slow migration cycles in enterprise MDM deployments.

Exploitation Context

Workspace ONE UEM SSRF is particularly impactful in cloud-hosted deployments where the server has access to cloud provider metadata endpoints — an SSRF to the cloud metadata service can expose IAM credentials, instance identity documents, and bootstrap secrets. In on-premises deployments, SSRF enables internal network scanning and access to services in network segments accessible to the UEM server but not from the internet. Nation-state actors exploited this for intelligence gathering without modifying the UEM platform (consistent with the Confidentiality-only impact).

Remediation

1. Apply patches per VMware VMSA-2021-0029 — consult Omnissa's current advisory portal for the latest patch instructions
2. Implement network-level controls to restrict outbound HTTP/HTTPS connections from the Workspace ONE UEM server to a defined allowlist of necessary destinations
3. For cloud-deployed UEM instances: require IMDSv2 (AWS) or equivalent metadata service protection to prevent SSRF-based credential extraction
4. Review Workspace ONE UEM access logs for unusual outbound connection attempts to internal IP ranges or cloud metadata endpoints
5. Apply network segmentation to limit what internal resources the UEM server can reach