CVE-2024-22274

HIGH

VMware vCenter Server - Authenticated Appliance Shell Command Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2024-22274. PoCs published by l0n3m4n, mbadanoiu, Mustafa1986.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-22274, an authenticated RCE vulnerability in VMware vCenter Server. The exploit leverages flag injection in the backup.validate API to execute arbitrary commands as root via SSH.

Description

The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system.

Exploits (4)

nomisec WORKING POC 44 stars
by l0n3m4n · poc
https://github.com/l0n3m4n/CVE-2024-22274-RCE

This repository contains a functional exploit for CVE-2024-22274, an authenticated RCE vulnerability in VMware vCenter Server. The exploit leverages flag injection in the backup.validate API to execute arbitrary commands as root via SSH.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VMware vCenter Server (versions affected by CVE-2024-22274)
Auth required
Prerequisites: Valid SSH credentials with admin role · Access to vCenter Server shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 38 stars
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2024-22274

The repository lacks actual exploit code and instead redirects to an external PDF for details, which is a common tactic for suspicious or monetized exploits. No technical details or proof-of-concept code are provided in the repository itself.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: VMware vCenter Server
Auth required
Prerequisites: Valid credentials for user with 'admin' role
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Mustafa1986 · poc
https://github.com/Mustafa1986/CVE-2024-22274-RCE

This repository contains a functional Go-based exploit for CVE-2024-22274, which automates the creation of a new user with sudo privileges via SSH and provides a root shell. The exploit uses base64-encoded commands to bypass restrictions and leverages SSH for remote execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (SSH-based exploitation, likely a Linux system with vulnerable user management)
Auth required
Prerequisites: Valid SSH credentials for the target system · SSH access to the target · Go environment for compilation
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ninhpn1337 · poc
https://github.com/ninhpn1337/CVE-2024-22274

This repository contains a functional exploit for CVE-2024-22274, which creates a root user via SSH and spawns a root shell. The exploit uses Paramiko to establish an SSH connection, execute a base64-encoded command to create a new user, and then logs in as that user to obtain a root shell.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (SSH-based exploit, likely targeting a specific software with SSH access)
Auth required
Prerequisites: Valid SSH credentials for initial access · Python environment with Paramiko, pwinput, and base64 libraries
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.2
EPSS 0.0249
EPSS Percentile 82.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (3)
vmware/cloud_foundation 4.0 - 5.1.1
vmware/vcenter_server 7.0 (30 CPE variants)
vmware/vcenter_server 8.0 (12 CPE variants)
Published May 21, 2024
Tracked Since Feb 18, 2026