May 19, 2022 

VMWare Patches Critical Authentication Bypass Vulnerability

VMWare has patched a critical vulnerability, which may allow attackers to obtain administrative access without the need to authenticate. 

The Vulnerability

• CVE-2022-22972, (CVSS 3.1: 9.8, Critical) – A malicious actor with network access to the UI may be able to obtain administrative access without authentication. 

Affected Products

• VMware Workspace ONE Access (Access). 
• VMware Identity Manager (vIDM). 
• VMware vRealize Automation (vRA). 
• VMware Cloud Foundation. 
• VMware vRealize Suite Lifecycle Manager. 

Please visit the official advisory for a list of affected versions. 

Mitigation

CYREBRO recommends patching all relevant products to mitigate the vulnerability. For a list of available patches and possible workarounds, please refer to the ‘Response Matrix’ section in the official advisory. 

References: VMWare Advisory.