CVE-2022-22954 VMware CVE debrief

Who should care

Security and infrastructure teams responsible for VMware Workspace ONE Access and VMware Identity Manager deployments, especially internet-facing instances or systems that support authentication and identity workflows.

Technical summary

The official records describe this issue as a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager. The CISA KEV entry indicates it is a known exploited vulnerability and notes known ransomware campaign use. The supplied source corpus does not provide version ranges, exploit mechanics, or remediation specifics beyond applying updates per vendor instructions.

Defensive priority

Critical priority for exposure reduction and patching. KEV status means active exploitation is already confirmed, and CISA assigned a 2022-05-05 due date after the 2022-04-14 listing.

Recommended defensive actions

• Apply VMware updates per vendor instructions as soon as possible.
• Inventory all Workspace ONE Access and Identity Manager deployments, including test and fallback systems.
• Verify whether any internet-facing or externally reachable instances exist and prioritize them first.
• Review authentication logs and administrative activity for suspicious access around the exposure window.
• If patching cannot be completed immediately, reduce exposure by limiting network access to the management and authentication interfaces.
• Validate that no unapproved changes were made to the affected VMware systems after remediation.

Evidence notes

This debrief is based only on the supplied official sources: the CISA Known Exploited Vulnerabilities JSON entry and linked official CVE/NVD references. The corpus confirms the vulnerability name, vendor/product, KEV listing date (2022-04-14), due date (2022-05-05), and known ransomware campaign use. No CVSS score, affected version range, or exploit details were provided in the supplied material.

Official resources