What is the Vulnerability?
The VMware Backdoor vulnerability is labeled CVE-2022-22954. By Exploiting the VMware IDM Service, attackers are able to run powershell to create malicious communications to the server.
How Hackers Gain Access
The adversaries gain initial access to the environment by exploiting CVE-2022-22954, the only one in the RCE trio that doesn’t require administrative access to the target server and also has a publicly available PoC exploit. The attack starts with executing a PowerShell command on the vulnerable service (Identity Manager), which launches a stager. The stager then fetches the PowerTrash loader from the command and control (C2) server in a highly obfuscated form and loads a Core Impact agent into the system memory. With privileged access, these types of attacks may be able to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR).
Criticalness and Who is Affected
Anyone with VMware and VMware hosted publicly is affected by this vulnerability. For those who host VMware publicly, our cybersecurity experts rate this vulnerability criticalness level an an 8 out of 10. For those who have VMware but it is not hosted publicly, 5 out of 10. For more information visit its page on the National Vulnerability Database.