CVE-2022-22960

What are VMware Workspace ONE Access and Identity Manager?

VMware Workspace ONE Access (formerly VMware Identity Manager) and vRealize Automation are enterprise identity, access management, and infrastructure automation platforms deployed in large enterprises and government environments. They manage authentication, single sign-on (SSO), and cloud infrastructure lifecycle — making them high-value targets. A privileged session on these systems can lead to credential theft, lateral movement, and access to all managed cloud resources.

Overview

CVE-2022-22960 is a privilege escalation vulnerability (CWE-732: incorrect permission assignment) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Improper file permissions on support scripts allow a low-privilege local user to escalate to root. CISA added it to KEV two days after the advisory, reflecting rapid exploitation following public disclosure.

This CVE is particularly dangerous when chained with CVE-2022-22954 (server-side template injection in the same products, CVSS 9.8) — a combination that allows an unauthenticated remote attacker to achieve root code execution with no user interaction.

Affected Versions

Technical Details

The vulnerability (CWE-732) stems from overly permissive file permissions on support shell scripts included in the product installation. A local user with low privileges can modify these scripts; when they are subsequently executed by a higher-privileged process (e.g., a root-owned cron job or service), the attacker's modified script executes with elevated privileges.

• Attack vector: Local — requires a foothold on the appliance
• Privileges required: Low — a standard low-privilege account on the appliance
• Chaining with CVE-2022-22954: CVE-2022-22954 (SSTI in the Workspace ONE login flow) provides unauthenticated RCE on the appliance; CVE-2022-22960 then escalates that foothold to root
• Combined impact: Unauthenticated remote root on critical identity infrastructure

Discovery

Reported to VMware. The rapid KEV addition (two days after advisory) reflects immediate exploitation activity observed after patch publication.

Exploitation Context

CISA issued an emergency directive (ED 22-02) alongside the KEV addition due to the severity of the VMware Workspace ONE product line vulnerabilities in 2022. The combination of CVE-2022-22954 (RCE) and CVE-2022-22960 (root escalation) was actively exploited by multiple threat actors including nation-state groups and ransomware operators targeting enterprise identity infrastructure. VMware Workspace ONE and Identity Manager are frequently deployed with broad network access, amplifying the risk of a successful compromise.

Remediation

1. Apply VMSA-2022-0011 patches for all affected products — see VMware's advisory for per-version patch downloads
2. If patching cannot be completed immediately, apply VMware's provided workaround scripts (available in the advisory)
3. Restrict network access to Workspace ONE and Identity Manager management interfaces
4. Monitor for unexpected root-level process execution on appliances
5. Review all admin accounts and SSO configurations for unauthorized changes following potential compromise