CVE-2022-22956

CRITICAL EXPLOITED NUCLEI

VMware Workspace ONE Access - Authentication Bypass via OAuth2 ACS Framework

Title source: llm

Exploitation Summary

CVE-2022-22956 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including mr_me, jheysel-r7, including a Metasploit module exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-22960 by chaining CVE-2022-22956 (authentication bypass) and CVE-2022-22957 (JDBC injection RCE) to achieve remote code execution as the 'horizon' user on VMware Workspace ONE Access.

Description

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

Exploits (1)

metasploit WORKING POC EXCELLENT

by mr_me, jheysel-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-22960 by chaining CVE-2022-22956 (authentication bypass) and CVE-2022-22957 (JDBC injection RCE) to achieve remote code execution as the 'horizon' user on VMware Workspace ONE Access.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware Workspace ONE Access

No auth needed

Prerequisites: Network access to the target · Target running vulnerable VMware Workspace ONE Access

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VMware Workspace ONE Access - Authentication Bypass

CRITICALVERIFIEDby daffainfo

Shodan: http.favicon.hash:"-1250474341"

FOFA: icon_hash=-1250474341

References (3)

Core 3

Core References

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.4990

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-09-03

CWE

CWE-287

Status published

Products (10)

vmware/identity_manager 3.3.3

vmware/identity_manager 3.3.4

vmware/identity_manager 3.3.5

vmware/identity_manager 3.3.6

vmware/vrealize_automation 7.6

vmware/vrealize_automation 8.0 - 9.0

vmware/workspace_one_access 20.10.0.0

vmware/workspace_one_access 20.10.0.1

vmware/workspace_one_access 21.08.0.0

vmware/workspace_one_access 21.08.0.1

Published Apr 13, 2022

Tracked Since Feb 18, 2026