Skip to main content

Multiple vulnerabilities present in VMware products

The ACSC is aware of multiple vulnerabilities in VMware products. Affected Australian organisations should take appropriate action.

Alert status

Background / What has happened?

Update: In August 2022, VMware released an updated security advisory (VMSA-2022-0021). Operators need to install the most recent patch to be protected against the Java Database Connectivity (JDBC) Injection Remote Code Execution Vulnerability (CVE-2022-31665). 

In April and May 2022, VMware released two security advisories (VMSA-2022-0011 & VSMA-2022-0014) relating to multiple vulnerabilities in their products. Exploiting the vulnerabilities may allow malicious actors to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).

In addition, the ACSC is aware of malicious actors attempting to exploit a remote code execution (RCE) vulnerability in VMware products (CVE-2022-22954). VMware released a security advisory relating to these vulnerabilities in April 2022. Exploitation of an RCE vulnerability could allow a malicious actor to remotely install malware or otherwise control the affected device.

VMware, Inc. is an American cloud computing and virtualization technology company. VMware products include virtualization, networking and security management tools, software-defined data center software, and storage software.

Mitigation / How do I stay secure?

The US Cybersecurity & Infrastructure Security Agency has published an alert to assist network owners to detect and respond to this activity. 

For a full list of affected products, refer to VMware’s security advisories:Australian organisations who use VMware products should review their patch status and follow VMware’s patch instructions.

The ACSC recommends VMware users continue to monitor the VMware website for updates and future vulnerabilities.

Assistance / Where can I go for help?

The ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ACSC via, or 1300 CYBER1.


Content complexity
This rating relates to the complexity of the advice and information provided on the page.
Was this information helpful?
Was this information helpful?

Thanks for your feedback!


Tell us why this information was helpful and we’ll work on making more pages like it