VMware Workspace ONE Flaw CVE-2022-22954 Hit by Active Malware Campaigns
Attackers actively exploited VMware Workspace ONE Access, Identity Manager, and vRealize Automation flaws in the wild, with CVE-2022-22954 emerging as the primary initial access vector. Palo Alto Networks Unit 42 said exploitation began shortly after VMware disclosed the issue, describing the bug as a trivial server-side template injection that can be triggered with a single HTTP request for remote code execution. The activity prompted a CISA alert, and researchers warned that related VMware flaws CVE-2022-22972 and CVE-2022-22973 were also highly likely to be targeted.
Observed post-exploitation activity included deployment of Mirai and Gafgyt variants, Enemybot, webshells, Perl-based shellbots, coinminers, and payloads that modified SSH keys for persistence. Unit 42 reported that attackers could chain CVE-2022-22960 after the initial compromise to escalate privileges to root by abusing writable paths and sudo-accessible scripts. The company said its Threat Prevention signature 92483 blocks exploitation attempts and noted that about 800 internet-exposed Workspace ONE Access instances were visible, underscoring the exposure risk for unpatched organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes technical analysis and IOCs for VMware attacks
Palo Alto Networks Unit 42 published a threat brief documenting widespread exploitation, attack chains involving CVE-2022-22954 and CVE-2022-22960, and indicators of compromise such as malware URLs, hashes, and command-and-control details. The report also noted roughly 800 internet-exposed Workspace ONE Access instances identified by Cortex Xpanse.
CISA issues alert on active VMware exploitation
CISA issued an alert warning about active exploitation of VMware vulnerabilities, including CVE-2022-22954. The alert reflected growing official concern over ongoing attacks against exposed systems.
VMware discloses additional flaws including CVE-2022-22960
In May 2022, VMware disclosed additional vulnerabilities including CVE-2022-22960, which could be used after CVE-2022-22954 for privilege escalation to root. Unit 42 assessed CVE-2022-22972 and CVE-2022-22973 as also highly likely to be exploited.
Attackers begin exploiting CVE-2022-22954 in the wild
Unit 42 observed exploitation attempts for CVE-2022-22954 starting on April 11, 2022. Attackers used the flaw to deploy Mirai and Gafgyt variants, Enemybot, webshells, shellbots, coinminers, and SSH key manipulation payloads.
VMware discloses Workspace ONE Access and related vulnerabilities
VMware published an advisory covering vulnerabilities affecting Workspace ONE Access, Identity Manager, and related products, including CVE-2022-22954. This disclosure preceded observed exploitation activity by only a few days.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Mirai, RAR1Ransom, and GuardMiner - Multiple Malware Campaigns Target VMware Vulnerability
fortinet.com
Open sourceThreat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)
unit42.paloaltonetworks.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
Mar 21, 2026
VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued **VMSA-2025-0010** to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by **CVE-2025-41225**, an authenticated command-execution flaw in **vCenter Server** with a **CVSS 8.8** score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address **CVE-2025-41226** and **CVE-2025-41227** denial-of-service issues and **CVE-2025-41228**, a reflected **XSS** flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that **no workarounds** exist. The latest advisory follows earlier VMware warnings over serious **vCenter Server** weaknesses, including **VMSA-2024-0012**, which disclosed **CVE-2024-37079**, **CVE-2024-37080**, and **CVE-2024-37081** as memory-management and corruption flaws that could enable **remote code execution** in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing **CVE-2024-37081**, underscoring continued security attention on vCenter exposure.
May 26, 2026