CVE-2022-22948

What is VMware vCenter Server?

VMware vCenter Server is the centralized management platform for VMware vSphere virtualization infrastructure. It manages ESXi hosts, virtual machines, storage, and networking across an entire virtual datacenter. Because vCenter controls the entire virtual infrastructure — including the ability to create, modify, and export VMs — it is one of the highest-value targets in enterprise environments. Credential exposure against vCenter can lead to complete virtualization infrastructure compromise.

Overview

CVE-2022-22948 is an incorrect default file permissions vulnerability (CWE-276) in VMware vCenter Server. The vcdb.properties configuration file — which contains credentials for the embedded vPostgres database that stores vCenter's configuration data — was stored with world-readable permissions on the vCenter VCSA (virtual appliance). Any authenticated user with SSH or shell access to the vCenter appliance could read this file and extract the database password. VMware patched this in March 2022, but CISA added it to KEV in July 2024 — over two years later — reflecting continued exploitation against unpatched deployments.

Affected Versions

Technical Details

The vCenter VCSA runs a PostgreSQL database instance (vpostgres) that stores all vCenter configuration, inventory, and event data. The connection credentials for this database are stored in /etc/vmware/vpx/vcdb.properties. On vulnerable versions, this file was readable by all users on the system (world-readable permissions):

• Exposed file: /etc/vmware/vpx/vcdb.properties — contains vcdb.password (the vpostgres database password)
• Access requirement: Any user with authenticated access to the vCenter appliance shell (via SSH, local console, or web shell from another vulnerability)
• Privilege escalation path: With the database password, an attacker can connect to the vpostgres database and read vCenter inventory (VM configurations, ESXi host credentials if stored, user data) or write to database tables
• Credential chaining: Often chained with other vCenter vulnerabilities (authentication bypass, XXE, SSRF) to obtain initial shell access, then use this CVE to escalate from limited shell to database access

Discovery

Attributed to security researchers examining vCenter appliance file permissions. The two-year gap between the March 2022 patch and the July 2024 KEV addition indicates that unpatched vCenter deployments were being discovered and exploited in post-exploitation chains well after the vulnerability was publicly known.

Exploitation Context

VMware vCenter is a common post-exploitation pivot target in ransomware campaigns and nation-state intrusions. Attackers who compromise vCenter can snapshot and exfiltrate entire VMs, shut down production infrastructure, or use vCenter's privileged management credentials to move laterally across the environment. CVE-2022-22948 is most dangerous when chained with authentication bypass vulnerabilities that provide initial access to the vCenter appliance.

Remediation

1. Apply VMware security updates: vCenter Server 7.0 U3d, 6.7 U3p, or 6.5 U3r (per VMSA-2022-0009)
2. If immediate patching is not possible, manually restrict permissions on vcdb.properties:

   chmod 600 /etc/vmware/vpx/vcdb.properties
   

3. Restrict SSH access to the vCenter appliance to authorized administrators only
4. Review vCenter appliance access logs for unauthorized SSH sessions
5. Rotate the vpostgres database password and update vcdb.properties on patched systems
6. Ensure the vCenter management interface (HTTPS 443, 5480) is not exposed to untrusted networks