CVE-2022-22954

What is VMware Workspace ONE Access?

VMware Workspace ONE Access (formerly VMware Identity Manager) is an identity and access management platform providing single sign-on, multi-factor authentication, and conditional access policies for enterprise applications. It is a critical identity infrastructure component deployed on-premises or as a virtual appliance, often accessible from the internet as the gateway for employee remote access to corporate applications. Identity platforms are extremely high-value targets because compromising them enables lateral movement to all downstream applications.

Overview

CVE-2022-22954 is a pre-authentication remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager caused by server-side template injection (SSTI) in the FreeMarker templating engine. An unauthenticated attacker with network access to the Workspace ONE Access web interface can send a crafted HTTP request containing malicious FreeMarker template directives, resulting in arbitrary Java code execution on the server. CVSS 9.8 (Critical). Exploitation was confirmed in the wild almost immediately — CISA added this to the KEV catalog just 8 days after the advisory and confirmed active exploitation. ransomwareUse: true indicates this was used in ransomware operations.

Affected Versions

Technical Details

The vulnerability is server-side template injection (CWE-94 — code injection) in the FreeMarker template engine used by Workspace ONE Access's web application. The application passes unsanitized user-supplied input into FreeMarker template evaluation without proper context isolation.

FreeMarker templates support a powerful expression language including ?eval directives and access to Java reflection APIs. An attacker can inject FreeMarker expressions that:

1. Use freemarker.template.utility.Execute (a built-in FreeMarker class) to run OS commands
2. Or exploit ?new() to instantiate arbitrary Java classes for code execution

Example injection pattern (simplified):

${"freemarker.template.utility.Execute"?new()("id")}

The injection point is in a URL parameter or form field that is processed through FreeMarker rendering before authentication. The application likely generates error messages or redirect URLs using FreeMarker templates that incorporate untrusted input.

Discovery

Discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The vulnerability was responsibly disclosed to VMware and patched in April 2022.

Exploitation Context

Workspace ONE Access is internet-facing by design — it must be reachable from the internet for remote employee authentication. This makes it an ideal target for initial access. Confirmed threat actors exploiting this vulnerability include:

• APT groups: Chinese-nexus threat actors (UNC2630, others) were observed exploiting this vulnerability alongside CVE-2022-22960 (a separate VMware privilege escalation) in a chained attack to establish persistent access to enterprise networks
• Ransomware operators: The ransomwareUse: true flag reflects ransomware groups using identity management system compromise as a pivot into broader network access
• Cryptomining: Lower-sophistication actors dropped miners after gaining initial access

The exploitation was so rapid that CISA added this to KEV 8 days after the advisory — one of the fastest KEV additions for an enterprise product vulnerability.

Remediation

1. Apply VMware patch: Update per VMSA-2022-0011. VMware provided patches for affected versions and workaround scripts for environments where immediate patching is not possible.
2. Apply VMware workaround if patching is delayed: VMware published a Python script to disable vulnerable services as a temporary mitigation — use this if production constraints delay patching.
3. Restrict network access: Place Workspace ONE Access behind a reverse proxy or VPN; limit direct internet access to the management interface.
4. Monitor authentication logs: Review Workspace ONE Access audit logs for unexpected authentication events, service account usage, or administrative changes.
5. Assume compromise if unpatched during exposure: If the appliance was internet-accessible during the vulnerability window, treat it as potentially compromised. Rotate all service accounts and certificates managed by the identity manager.
6. Check for chained exploitation: Attackers often combined CVE-2022-22954 with CVE-2022-22960 (privilege escalation) — investigate both if compromise is suspected.