VMware RCE Flaw Exploited to Install Backdoor (26th April 2022)

Ref# AL2022_26 | Date: Apr 26th 2022


Rocket Kitten, an Iranian-linked threat actor, was seen exploiting a recently patched VMware vulnerability to get initial access and deploy the Core Impact penetration testing tool on susceptible computers. 


The vulnerability which is being tracked as CVE-2022-22954, is a case of Remote Code Execution vulnerability affecting the VMware Workspace ONE Access. 

An attacker who takes advantage of this RCE flaw could have an endless attack surface. This entails having the maximum level of access to any part of the virtualized host and guest environment. 

How it works  

The attackers acquire initial access to the environment by exploiting CVE-2022-22954, a remote code execution vulnerability that does not require administrative access to the target server and comes with a publicly available proof-of-concept exploit. 

The attack begins with a PowerShell command that initiates a stager on the vulnerable service (Identity Manager). 

The stager then retrieves a highly disguised PowerTrash loader from the command and control (C2) server and loads a Core Impact agent into system memory. 

In this situation, Core Impact is a genuine penetration testing tool that has been abused for malicious objectives, similar to how Cobalt Strike is utilized in malicious campaigns. 


VMware released a patch to remedy this vulnerability, it is advised that you visit the following link to update your product. 


The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: VMware RCE Flaw Exploited to Install Backdoor.pdf