CVE-2022-22972 is an authentication bypass vulnerability in VMware Workspace ONE Access, VMware Identity Manager, and VMware vRealize Automation. According to the provided content, the flaw affects local domain users and allows a malicious actor with network access to the product UI to obtain administrative access without authenticating. The issue was disclosed by VMware in advisory VMSA-2022-0014 on May 18, 2022, alongside CVE-2022-22973. The provided material does not identify the exact vulnerable function or code path, so more specific implementation details are currently not available.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository contains a proof-of-concept exploit for CVE-2022-22972, an authentication bypass vulnerability affecting VMware vRealize Automation 7.6, Workspace ONE, and vIDM. The main exploit script (CVE-2022-22972.py) is a Python program that automates the process of bypassing authentication by manipulating the Host header in a crafted POST request to the VMware authentication endpoint. The script first initiates a session and follows redirects to extract necessary hidden form fields from the login page. It then crafts a POST request to the /SAAS/auth/login/embeddedauthbroker/callback endpoint, setting the Host header to a value controlled by the attacker (by default, an AWS API Gateway endpoint). If the attack is successful, the script outputs a valid HZN session cookie, which can be used to authenticate as the specified user. The README provides technical background, usage instructions, and mitigation advice. The repository is structured simply, with one Python exploit script and a detailed README. No fake or destructive code is present; the exploit is a legitimate POC for the described vulnerability.
This repository, 'VcenterKiller', is a comprehensive exploitation toolkit written in Go, targeting multiple critical vulnerabilities in VMware vCenter Server and Workspace ONE Access. It supports exploitation of CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-44228 (Log4Shell), CVE-2022-22954, CVE-2022-22972, and CVE-2022-31656. The tool provides modules for remote code execution, webshell upload, SSH key injection, authentication bypass, and Log4j JNDI injection (with built-in LDAP/RMI servers for payload delivery). The main entry point is 'main.go', which dispatches to specific modules under 'src/'. Each module implements the exploit logic for a specific CVE, with endpoints and payloads tailored to the vulnerability. The tool is operational and can be used for post-exploitation, red teaming, or authorized penetration testing of VMware environments. The codebase is modular, with clear separation of exploit logic per CVE, and includes support for proxies and various attack modes. The README provides detailed usage instructions and legal disclaimers.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical VMware AirWatch authentication bypass vulnerability assessed by the threat actor for access to mobile device management administration.
A VMware vulnerability affecting the same products as the other discussed flaws, highlighted by CISA as highly likely to be exploited.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.