1name: crowdsecurity/vpatch-CVE-2022-22954
2description: "VMWare Workspace ONE Access RCE (CVE-2022-22954)"
3rules:
4  - and:
5       - zones:
6           - URI
7         transform:
8           - lowercase
9         match:
10           type: contains
11           value: /catalog-portal/ui/oauth/verify
12       - zones:
13           - ARGS
14         variables:
15           - deviceUdid
16         transform:
17           - lowercase
18         match:
19           type: contains
20           value: ${
21
22labels:
23   type: exploit
24   service: http
25   confidence: 3
26   spoofable: 0
27   behavior: "http:exploit"
28   label: "VMware Workspace ONE - RCE"
29   references:
30    - https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/
31    - https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/
32    - https://nvd.nist.gov/vuln/detail/cve-2022-22954
33   classification:
34     - cve.CVE-2022-22954
35     - attack.T1595
36     - attack.T1190