CVE-2022-22960

HIGH KEV

VMware Workspace ONE Access CVE-2022-22960

Title source: metasploit

Exploitation Summary

CVE-2022-22960 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 15, 2022. EIP tracks 1 public exploit from researchers including mr_me, jheysel-r7, including a Metasploit module exploits/linux/local/vmware_workspace_one_access_cve_2022_22960.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-22960, a local privilege escalation vulnerability in VMware Workspace ONE Access. It manipulates the permissions of certproxyService.sh to allow the horizon user to overwrite it and execute arbitrary commands as root.

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'.

Exploits (1)

metasploit WORKING POC GOOD

by mr_me, jheysel-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/vmware_workspace_one_access_cve_2022_22960.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-22960, a local privilege escalation vulnerability in VMware Workspace ONE Access. It manipulates the permissions of certproxyService.sh to allow the horizon user to overwrite it and execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: VMware Workspace ONE Access

Auth required

Prerequisites: Local access as the horizon user (UID 1001) · Presence of the vulnerable certproxyService.sh script

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/171935/VMware-Workspace-ONE-Access-Privilege-Escalation.html

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22960

Scores

CVSS v3 7.8

EPSS 0.7249

EPSS Percentile 98.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-04-15

VulnCheck KEV 2022-04-06

InTheWild.io 2022-04-15

ENISA EUVD EUVD-2022-28083

CWE

CWE-732

Status published

Products (11)

vmware/cloud_foundation 3.0 - 5.0

vmware/identity_manager 3.3.3

vmware/identity_manager 3.3.4

vmware/identity_manager 3.3.5

vmware/identity_manager 3.3.6

vmware/vrealize_automation 7.6

vmware/vrealize_suite_lifecycle_manager 8.0 - 9.0

vmware/workspace_one_access 20.10.0.0

vmware/workspace_one_access 20.10.0.1

vmware/workspace_one_access 21.08.0.0

... and 1 more

Published Apr 13, 2022

KEV Added Apr 15, 2022

Tracked Since Feb 18, 2026