CVE-2022-31704

CRITICAL EXPLOITED NUCLEI

VMware vRealize Log Insight 3.0-4.8 - Unauthenticated Remote Code Execution via Broken Access Control

Title source: llm

Exploitation Summary

CVE-2022-31704 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Horizon3.ai Attack Team, including a Metasploit module exploits/linux/http/vmware_vrli_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-31704, a chain of vulnerabilities in VMware vRealize Log Insight (v8.x) including directory traversal, broken access control, and deserialization, leading to unauthenticated RCE as root. It leverages Thrift service commands to download and process a malicious PAK archive, placing a JSP payload for execution.

Description

The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.

Exploits (2)

metasploit WORKING POC EXCELLENT

by Horizon3.ai Attack Team · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_vrli_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-31704, a chain of vulnerabilities in VMware vRealize Log Insight (v8.x) including directory traversal, broken access control, and deserialization, leading to unauthenticated RCE as root. It leverages Thrift service commands to download and process a malicious PAK archive, placing a JSP payload for execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: VMware vRealize Log Insight < 8.10.2

No auth needed

Prerequisites: Network access to Thrift service (port 16520) and web service (port 443) · SSL/TLS connectivity

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 05, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/horizon3ai/vRealizeLogInsightRCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-31704, which abuses Thrift RPC endpoints in VMware vRealize Log Insight to achieve arbitrary file write and remote code execution via a malicious tar file and directory traversal.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware vRealize Log Insight

No auth needed

Prerequisites: Network access to the target's Thrift RPC port (default 16520) · Ability to host an HTTP server for payload delivery

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

VMware vRealize Log Insight - Improper Access Control to RCE

CRITICALby ritikchaddha

Shodan: http.title:"vrealize log insight"

FOFA: title="vrealize log insight"

References (3)

Core 3

Core References

Various Sources

https://packetstorm.news/files/id/174606

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2023-0001.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.8984

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-12-20

CWE

CWE-284

Status published

Products (1)

vmware/vrealize_log_insight 3.0 - 4.8

Published Jan 26, 2023

Tracked Since Feb 18, 2026