Skip to content
CybersecurityHarnessing the Power of Cloud ComputingExplore Symphony's Tech Universe

VMware reveals a fresh unauthorized access loophole in its authentication system

Software behemoth recommends prompt patch deployment, affirming no known wild exploits thus far.

 and  Administrator
2 min read
VMware reveals a recently discovered vulnerability allowing unauthorized access bypass.
VMware reveals a recently discovered vulnerability allowing unauthorized access bypass.

VMware reveals a fresh unauthorized access loophole in its authentication system

VMware Discovers and Patches Critical Security Vulnerabilities

VMware has disclosed a total of ten vulnerabilities, nine new and one previously disclosed (CVE-2022-31656). The latest vulnerability, similar to a previous one disclosed in May (CVE-2022-22972), has been rated in the critical severity range with a 9.8 score on the common vulnerability scoring system.

The initial security advisory for CVE-2022-31656 was issued by VMware on Tuesday. This new vulnerability can bypass authentication in VMware Workspace ONE Access, Identity Manager, and vRealize Automation, posing a significant risk to corporate stakeholders.

Google Project Zero and Kaspersky were the organizations that uncovered the nine additional security vulnerabilities exploitable with CVE-2022-31656. Among these, the most serious could be exploited by threat actors to trigger a remote code execution when paired with CVE-2022-31656.

VMware has disclosed nine additional vulnerabilities, including six in the important severity range and three in the moderate severity range. The new vulnerabilities, if exploited together with CVE-2022-31656, could allow for a remote code execution.

In a supplemental blog post, VMware warned all customers using the impacted products could be at risk. The company advises customers to deploy patches immediately and discourages relying on workarounds.

Claire Tills, senior research engineer at Tenable, wrote that exploitation of the authentication bypass flaw could open up the possibility of attackers creating exploit chains. Tenable has published a blog post regarding the new vulnerabilities disclosed by VMware.

VMware has issued patches for three impacted products. However, the company states it is not aware of any exploitation of the vulnerabilities in the wild.

Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, with a focus on whether they are potential targets. The new vulnerabilities, along with CVE-2022-31656, could potentially be used to create exploit chains, making it crucial for organisations to prioritise security updates.

Critical vulnerabilities are a recurring problem for VMware customers. The previously disclosed vulnerability, CVE-2022-22972, earned the same critical severity score of 9.8 and elicited an emergency directive from the Cybersecurity and Infrastructure Security Agency in May. This underscores the importance of staying vigilant and promptly addressing security issues.

Read also:

Related

Latest