CVE-2022-22972

CRITICAL EXPLOITED NUCLEI

VMware Identity Manager Workspace ONE Access and vRealize Automation - Authentication Bypass

Title source: llm

Exploitation Summary

CVE-2022-22972 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including horizon3ai, xk4ng, bengisugun. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2022-22972, an authentication bypass vulnerability in VMware Workspace ONE, vIDM, and vRealize Automation 7.6. It manipulates the Host header in an HTTP POST request to bypass authentication and obtain a valid HZN cookie.

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Exploits (4)

nomisec WORKING POC 153 stars

by horizon3ai · remote

https://github.com/horizon3ai/CVE-2022-22972

View Code ZIP pw:eip

This PoC exploits CVE-2022-22972, an authentication bypass vulnerability in VMware Workspace ONE, vIDM, and vRealize Automation 7.6. It manipulates the Host header in an HTTP POST request to bypass authentication and obtain a valid HZN cookie.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware Workspace ONE, vIDM, vRealize Automation 7.6

No auth needed

Prerequisites: Network access to the target application · A host controlled by the attacker to respond with a 200 status code

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by xk4ng · poc

https://github.com/xk4ng/CVE-2022-22972

View Code ZIP pw:eip

This repository contains a Go-based proof-of-concept exploit for CVE-2022-22972, an authentication bypass vulnerability in VMware. The exploit automates the process of bypassing authentication by manipulating login form parameters and cookies.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vRealize Automation (vRA)

No auth needed

Prerequisites: Network access to the target VMware instance · Valid username (default: administrator)

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WRITEUP

by bengisugun · poc

https://github.com/bengisugun/CVE-2022-22972-

View Code ZIP pw:eip

This repository contains an IOC (Indicators of Compromise) list related to CVE-2022-22972, including IP addresses, hashes, and domains. It does not include exploit code or technical details for exploitation.

Classification

Writeup 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: VMware Workspace ONE Access (CVE-2022-22972)

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/Schira4396/VcenterKiller

View Code ZIP pw:eip

This repository contains a functional exploit tool for multiple VMware vCenter vulnerabilities, including CVE-2022-22972, CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, and Log4j (CVE-2021-44228). It provides command execution, file upload, and reverse shell capabilities.

Classification

Working Poc 95%

Attack Type

Rce | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: VMware vCenter (multiple versions)

No auth needed

Prerequisites: network access to target vCenter · vulnerable version of vCenter

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution T1078 - Valid Accounts

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass

CRITICALby For3stCo1d,princechaddha

Shodan: http.favicon.hash:-1250474341

FOFA:

app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize" || icon_hash=-1250474341 || app="vmware-workspace-one-access" || app="vmware-identity-manager" || app="vmware-vrealize"

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://www.vmware.com/security/advisories/VMSA-2022-0014.html

Scores

CVSS v3 9.8

EPSS 0.5281

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-08-12

Status published

Products (40)

vmware/cloud_foundation 3.0

vmware/cloud_foundation 3.0.1

vmware/cloud_foundation 3.0.1.1

vmware/cloud_foundation 3.5

vmware/cloud_foundation 3.5.1

vmware/cloud_foundation 3.7

vmware/cloud_foundation 3.7.1

vmware/cloud_foundation 3.7.2

vmware/cloud_foundation 3.8

vmware/cloud_foundation 3.8.1

... and 30 more

Published May 20, 2022

Tracked Since Feb 18, 2026