CVE-2022-31706

CRITICAL EXPLOITED NUCLEI

VMware vRealize Log Insight 3.0-4.8 - Unauthenticated Path Traversal and Remote Code Execution

Title source: llm

Exploitation Summary

CVE-2022-31706 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Horizon3.ai Attack Team, including a Metasploit module exploits/linux/http/vmware_vrli_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-31706, a chain of vulnerabilities in VMware vRealize Log Insight (v8.x) including directory traversal, broken access control, and deserialization, leading to unauthenticated RCE as root. It leverages Thrift service interactions to download and process a malicious PAK archive, placing a JSP payload for execution.

Description

The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

Exploits (2)

metasploit WORKING POC EXCELLENT

by Horizon3.ai Attack Team · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_vrli_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-31706, a chain of vulnerabilities in VMware vRealize Log Insight (v8.x) including directory traversal, broken access control, and deserialization, leading to unauthenticated RCE as root. It leverages Thrift service interactions to download and process a malicious PAK archive, placing a JSP payload for execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: VMware vRealize Log Insight < v8.10.2

No auth needed

Prerequisites: Network access to Thrift service (port 16520) and web service (port 443) · SSL/TLS connectivity

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 05, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/horizon3ai/vRealizeLogInsightRCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-31706, which abuses Thrift RPC endpoints in VMware vRealize Log Insight to achieve arbitrary file write and remote code execution via directory traversal. The exploit chains multiple CVEs (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) to leak a node token, download a malicious payload, and write a cron job for a reverse shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VMware vRealize Log Insight

No auth needed

Prerequisites: Network access to Thrift RPC port (default 16520) · HTTP server to host malicious payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

VMware vRealize Log Insight - Path Traversal

CRITICALby ritikchaddha

Shodan: http.title:"vrealize log insight"

FOFA: title="vrealize log insight"

References (3)

Core 3

Core References

Various Sources

https://packetstorm.news/files/id/174606

Patch, Vendor Advisory

https://www.vmware.com/security/advisories/VMSA-2023-0001.html

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9018

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-12-20

CWE

CWE-22

Status published

Products (1)

vmware/vrealize_log_insight 3.0 - 4.8

Published Jan 26, 2023

Tracked Since Feb 18, 2026