Versions (5)
Version DetailsCurrent
Rev: 1 • Apr 29, 2022, 12:00 PMET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)"; flow:to_server,established; http.uri; content:"/catalog-portal/ui/oauth/verify?"; http.uri.raw; content:"&deviceUdid=%24%7b"; fast_pattern; nocase; reference:cve,2022-22954; classtype:attempted-admin; sid:2036416; rev:1; metadata:attack_target Server, created_at 2022_04_29, cve CVE_2022_22954, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Apr 29, 2022, 12:00 PM
Apr 29, 2022, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 21, 2024, 3:00 AM
rules/emerging-exploit.rules