Server-Side Template Injection RCE in VMware Workspace ONE Access and Identity Manager

This repository contains a Python exploit script (CVE-2022-22954.py) targeting VMware Workspace ONE Access instances vulnerable to CVE-2022-22954, a critical server-side template injection (SSTI) vulnerability. The exploit works by sending a specially crafted payload to the /catalog-portal/ui/oauth/verify endpoint, leveraging FreeMarker's Execute utility to run arbitrary system commands on the target server. The script provides an interactive shell-like interface, allowing the attacker to input commands and receive output in real time. The README provides usage instructions, example commands, a Shodan query for identifying potential targets, and a bash one-liner for mass exploitation. The main exploit file is written in Python and is the only code file in the repository. The exploit is operational, providing real command execution on vulnerable targets, but does not include advanced features such as payload customization or post-exploitation modules.

This repository provides a proof-of-concept (PoC) exploit for CVE-2022-22954, a critical remote code execution (RCE) vulnerability in VMware Workspace ONE Access and Identity Manager. The main exploit script, 'CVE-2022-22954.py', is written in Python and allows the user to execute arbitrary system commands on vulnerable targets via a Server-Side Template Injection (SSTI) in the Freemarker template engine. The script supports three modes: 'manual' (specify a single IP and command), 'file' (read a list of IPs from 'ips.txt'), and 'shodan' (search for targets using the Shodan API). The exploit works by sending a specially crafted payload to the '/catalog-portal/ui/oauth/verify' endpoint, injecting the command via the 'deviceUdid' parameter. The repository also includes a sample 'ips.txt' file for batch exploitation and a README with usage instructions. No weaponization or advanced payload customization is present; this is a straightforward PoC for security testing and research purposes.

This repository provides a Python proof-of-concept exploit for CVE-2022-22954, a critical Server-Side Template Injection (SSTI) vulnerability in VMware Workspace ONE Access and Identity Manager. The main script, CVE-2022-22954.py, allows an attacker to execute arbitrary system commands on vulnerable servers by exploiting the 'deviceUdid' parameter of the /catalog-portal/ui/oauth/verify endpoint. The exploit supports three modes: 'manual' (single target), 'file' (multiple targets from ips.txt), and 'shodan' (automated target discovery via Shodan API). The payload leverages Freemarker template injection to achieve command execution. The repository also includes reconnaissance aids (shodan-dork.txt, zoomeye-dork.txt) for finding potential targets, and advise.txt, which describes how to drop a JSP webshell on the target for persistent access. The exploit is a functional PoC and does not include advanced features or payload customization, but it demonstrates the vulnerability and provides a basis for further weaponization.

This repository provides a Python proof-of-concept exploit for CVE-2022-22954, a critical server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access and Identity Manager. The main script, CVE-2022-22954.py, allows an attacker to execute arbitrary commands on vulnerable servers via a crafted payload sent to the '/catalog-portal/ui/oauth/verify' endpoint. The exploit supports three modes: 'shodan' (automatically finds targets using the Shodan API and a specific favicon hash), 'file' (reads a list of target IPs from ips.txt), and 'manual' (directly targets a specified IP with a command). The repository also includes search dorks for Shodan and Zoomeye to help identify potential targets, and an advisory note describing how to drop a JSP webshell to '/opt/vmware/horizon/workspace/webapps/cas/static/' for persistent access. The exploit is a functional PoC, not weaponized, and is intended for security testing and research purposes.

This repository contains a Python exploit script (CVE-2022-22954.py) targeting VMware Workspace ONE Access servers vulnerable to CVE-2022-22954, a critical remote code execution vulnerability via server-side template injection (SSTI) in FreeMarker templates. The script allows for both single and batch exploitation, supporting command execution and arbitrary file (webshell) upload to the target server. The main exploit logic crafts payloads for multiple known vulnerable endpoints under the /catalog-portal/ path, attempting to execute commands or write files using FreeMarker template injection. The script can upload a default JSP webshell or a user-supplied file to typical web-accessible directories. The README provides usage instructions for various exploitation scenarios, including single target, batch mode, command execution, and file upload. The exploit is operational, providing real RCE and webshell capabilities, and is not just a detection script.

This repository contains a proof-of-concept (PoC) exploit for CVE-2022-22954, a critical server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access and Identity Manager. The main file, CVE-2022-22954.py, is a Python script that takes a target domain and an arbitrary system command as arguments. It constructs a Freemarker template payload that leverages the vulnerability to execute the specified command on the target server. The payload is sent via a crafted GET request to the '/catalog-portal/ui/oauth/verify?error=&deviceUdid=' endpoint of the target. If the target is vulnerable, the script extracts and prints the output of the executed command from the server's response. The repository also includes a README.md with usage instructions and a brief description of the vulnerability. No hardcoded IPs or domains are present; the script requires the user to supply the target. The exploit is a functional PoC and does not include advanced features such as automated detection or post-exploitation modules.

This repository, 'VcenterKiller', is a comprehensive exploitation toolkit written in Go, targeting multiple critical vulnerabilities in VMware vCenter Server and Workspace ONE Access. It supports exploitation of CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-44228 (Log4Shell), CVE-2022-22954, CVE-2022-22972, and CVE-2022-31656. The tool provides modules for remote code execution, webshell upload, SSH key injection, authentication bypass, and Log4j JNDI injection (with built-in LDAP/RMI servers for payload delivery). The main entry point is 'main.go', which dispatches to specific modules under 'src/'. Each module implements the exploit logic for a specific CVE, with endpoints and payloads tailored to the vulnerability. The tool is operational and can be used for post-exploitation, red teaming, or authorized penetration testing of VMware environments. The codebase is modular, with clear separation of exploit logic per CVE, and includes support for proxies and various attack modes. The README provides detailed usage instructions and legal disclaimers.

This repository contains a Nuclei template (CVE-2022-22954.yaml) for exploiting a critical server-side template injection (SSTI) vulnerability (CVE-2022-22954) in VMware Workspace ONE Access and Identity Manager. The main file, CVE-2022-22954.yaml, defines an HTTP GET request to the '/catalog-portal/ui/oauth/verify' endpoint with a specially crafted 'deviceUdid' parameter that triggers the SSTI flaw, allowing unauthenticated remote code execution. The payload in the template demonstrates execution of system commands such as 'cat /etc/passwd'. The README.md provides usage instructions and a Shodan query for identifying potentially vulnerable systems. The poc.txt file contains a sample exploit URL. The repository is structured for use with the Nuclei scanning framework and serves as a proof-of-concept for this critical vulnerability.

This repository provides a functional exploit for CVE-2022-22954, a remote code execution (RCE) vulnerability in VMware Workspace ONE Access and Identity Manager via server-side template injection (SSTI). The main exploit script (CVE-2022-22954.py) is written in Python and supports three modes: 'shodan' (automatically finds targets using the Shodan API), 'file' (reads targets from ips.txt), and 'manual' (user-supplied target and command). The script exploits the vulnerable endpoint '/catalog-portal/ui/oauth/verify' to execute arbitrary commands on the target system. Additionally, the repository includes a JSP webshell (shell.jsp) that, when uploaded to the target's web-accessible directory, provides a reverse shell to 8.tcp.ngrok.io:12508. The 'advise.txt' file gives instructions for webshell deployment. The repository also contains search dorks for Shodan and Zoomeye to help identify vulnerable targets. Overall, the exploit is operational, providing both command execution and persistent access capabilities.

This repository contains a Python exploit script (CVE-2022-22954.py) targeting VMware Workspace ONE Access servers vulnerable to CVE-2022-22954, a remote code execution (RCE) vulnerability via server-side template injection. The script provides two main modes: a batch scan mode to check multiple URLs for the vulnerability, and an RCE mode to execute arbitrary commands on a specified target. The exploit works by sending a specially crafted HTTP GET request to the '/catalog-portal/ui/oauth/verify' endpoint with a malicious 'deviceUdid' parameter that triggers command execution through FreeMarker template injection. The script parses the response to extract command output if the server is vulnerable. The repository also includes a README (with usage instructions and a brief vulnerability description) and a requirements.txt listing Python dependencies. No hardcoded IPs or domains are present; the script requires user-supplied targets. The exploit is operational and can be used to verify and exploit the vulnerability on accessible VMware Workspace ONE Access instances.