What is the severity of CVE-2022-22954?

CVE-2022-22954 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2022-22954 in CISA KEV?

Yes. CVE-2022-22954 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2022-22954 | Critical Vulnerability in VMware Workspace ONE Access and Identity Manager

Q: What is CVE-2022-22954?

A critical remote code execution vulnerability has been identified in VMware Workspace ONE Access and Identity Manager due to server-side template injection. Organizations must prioritize immediate patching to mitigate risk.

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

This critical vulnerability has a CVSS score of 9.8, indicating a substantial risk to organizations. The potential for exploitation is high, as attackers may leverage this vulnerability to execute arbitrary code, compromising the confidentiality, integrity, and availability of affected systems.

Given the nature of this vulnerability and its potential impact, organizations should prioritize patching immediately. The vulnerability affects multiple VMware products, and timely remediation is crucial to safeguarding systems from potential attacks.

The urgency for defenders is reinforced by its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Immediate action is required to mitigate the risks associated with this vulnerability.

Vulnerability Details

The vulnerability identified as CVE-2022-22954 allows for remote code execution in VMware Workspace ONE Access and Identity Manager due to server-side template injection. The CVSS score of 9.8 categorizes this vulnerability as critical, highlighting its severe impact.

The affected products include various versions of VMware Identity Manager, VRealize Automation, and Workspace ONE Access. The vulnerability was published on April 11, 2022, and is classified under CWE-94.

Technical Analysis

The root cause of this vulnerability is the improper handling of user inputs in server-side template processing. Attackers can exploit this flaw via network access, allowing them to execute arbitrary code without the need for user interaction.

The attack vector is through the network, with a low attack complexity, requiring no privileges or user interaction. This vulnerability has a significant impact on confidentiality, integrity, and availability.

Risk & Impact Analysis

Risk to organizations includes potential unauthorized access, data breaches, and overall system compromise. The wide-ranging impact can lead to significant operational disruptions.

Organizations utilizing affected VMware products must assess their risk exposure. Given the critical nature of this vulnerability and its inclusion in the KEV catalog, organizations should address it in priority patch cycles.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	Yes

Affected Versions

The affected versions include VMware Identity Manager (3.3.3, 3.3.4, 3.3.5, 3.3.6), VRealize Automation (7.6), and Workspace ONE Access (20.10.0.0, 20.10.0.1, 21.08.0.0, 21.08.0.1). Organizations should check their specific deployments against these versions.

Mitigation & Remediation

Organizations should apply updates per vendor instructions to remediate this vulnerability. If a patch is unavailable, consider implementing network segmentation to limit exposure and monitor for unusual activity.

For further guidance, organizations may refer to the penetration testing services to assess the effectiveness of their defenses.

Detection Guidance

To detect exploitation attempts, organizations should monitor logs for unusual patterns indicative of template injection attempts. Additionally, behavioral anomalies in user sessions should be flagged for further investigation.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2022-22954 lies in its representation of the vulnerabilities that can arise from improper input handling. Security teams must prioritize securing template processing mechanisms to prevent similar vulnerabilities.

This vulnerability also highlights the importance of continuous monitoring and risk assessment. Security teams should regularly evaluate their defenses against template injection and similar attack vectors.

Organizations can enhance their security posture by adopting proactive measures, including regular security assessments and staff training on the latest threat vectors. For additional resources, visit our blog on penetration testing methodology and best practices.

As this vulnerability is actively exploited in the wild, organizations must remain vigilant and responsive to emerging threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-22954: Critical Vulnerability in VMware Workspace ONE Access and Identity Manager