CVE-2021-22054

HIGH KEV NUCLEI

VMware Workspace ONE UEM Console SSRF (20.0.8-20.0.8.36, 20.11.0-20.11.0.39, 21.2.0-21.2.0.26, 21.5.0-21.5.0.36)

Title source: llm

Exploitation Summary

CVE-2021-22054 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 9, 2026. EIP tracks 1 public exploit from researchers including MKSx. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-22054, an SSRF vulnerability in VMware Workspace ONE UEM. The script generates encrypted SSRF payloads and can send requests to exploit the vulnerability, leveraging AES encryption and specific API endpoints.

Description

VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

Exploits (1)

nomisec WORKING POC 5 stars

by MKSx · infoleak

https://github.com/MKSx/CVE-2021-22054

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-22054, an SSRF vulnerability in VMware Workspace ONE UEM. The script generates encrypted SSRF payloads and can send requests to exploit the vulnerability, leveraging AES encryption and specific API endpoints.

Classification

Working Poc 95%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: VMware Workspace ONE UEM

No auth needed

Prerequisites: Access to the target VMware Workspace ONE UEM instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

VMWare Workspace ONE UEM - Server-Side Request Forgery

HIGHby h1ei1

FOFA:

banner="/AirWatch/default.aspx" || header="/AirWatch/default.aspx" || banner="/airwatch/default.aspx" || header="/airwatch/default.aspx"

References (3)

Core 3

Core References

Various Sources

https://www.greynoise.io/blog/new-ssrf-exploitation-surge

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22054

Patch, Vendor Advisory x_refsource_misc

https://www.vmware.com/security/advisories/VMSA-2021-0029.html

Scores

CVSS v3 7.5

EPSS 0.9384

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-03-09

VulnCheck KEV 2025-03-11

ENISA EUVD EUVD-2021-9219

CWE

CWE-918

Status published

Products (1)

vmware/workspace_one_uem_console 20.0.8.0 - 20.0.8.36

Published Dec 17, 2021

KEV Added Mar 09, 2026

Tracked Since Feb 18, 2026