MediumCISA KEVExploited in the wildPublic exploit

Information Disclosure in VMware vCenter Server via Incorrect File Permissions

IdentifiersCVE-2022-22948CWE-732

CVE-2022-22948 is an information disclosure vulnerability in VMware vCenter Server caused by improper file permissions on sensitive files. According to the provided content, a malicious actor with non-administrative access to the vCenter Server can exploit the issue to access sensitive information. Reporting in the supplied material further states that UNC3886 exploited this flaw to obtain encrypted credentials from the vCenter PostgreSQL database. The issue is therefore consistent with incorrect permission assignment that exposes sensitive local data to lower-privileged users on the vCenter system.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a non-administrative user on vCenter Server to read sensitive information that should not be accessible at that privilege level. Based on the provided content, this can include encrypted credentials stored in the vCenter PostgreSQL database. Exposure of such data can facilitate follow-on credential theft, privilege escalation, broader compromise of the vSphere environment, and operational access to connected infrastructure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict local and remote access to vCenter Server to only trusted administrative users, minimize shell or OS-level access for non-administrative accounts, and monitor for unauthorized access to sensitive files and the vCenter PostgreSQL database. Review and harden file permissions on sensitive directories where feasible, reduce the number of accounts with interactive access, and monitor for suspicious use of harvested service accounts or database access patterns. These are compensating controls only; the primary mitigation is vendor remediation.

Remediation

Patch, then assume compromise.

Apply the vendor-provided VMware patch or fixed release for CVE-2022-22948 in accordance with VMware guidance. Because the issue stems from improper permissions on sensitive files, remediation should include correcting file permissions through the official update path and validating that sensitive vCenter files and database-related artifacts are no longer readable by non-administrative users. If compromise is suspected, rotate credentials stored or managed by vCenter, review access to the PostgreSQL database, and investigate for post-exploitation activity associated with credential access.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomCloud Foundationapplication

BroadcomVcenter Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyfirma newsNews

Feb 20, 2026

Weekly Intelligence Report - 20 February 2026 - CYFIRMA

A vulnerability (unspecified in the content) affecting VMware vCenter Server that is listed as exploited by the threat actor UNC3886/Volt Typhoon.

the hacker newsNews

Jul 18, 2024

Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

VMware vCenter Server incorrect default file permissions vulnerability; included in CISA KEV and reported as exploited, with exploitation attributed to China-nexus espionage actor UNC3886.

mitre attack websiteNews

Mar 22, 2023

UNC3886, Group G1048 | MITRE ATT&CK®

A VMware vCenter vulnerability exploited to obtain encrypted credentials from the vCenter postgresDB.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-22948

NVD

nvd.nist.gov/vuln/detail/CVE-2022-22948

MITRE CWE · CWE-732

cwe.mitre.org

Patch

vmware.com/security/advisories/VMSA-2022-0009.html

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22948