VMware have just rolled out an update to resolve a critical security flaw in its Cloud Director product that could be weaponized to launch remote code execution attacks.
CVE-2022-22966 is rated 9.1 out of 10 on the CVSS scoring system.
VMware said “An authenticated, high privileged malicious actor with access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server”.
This means in certain conditions; the vulnerability could end up allowing attackers to gain access to sensitive data and take over private clouds.
Affected versions include 10.1.x, 10.2.x and 10.3.x and has been fixed in versions 10.1.4.1, 10.2.2.3 and 10.3.3. There are workarounds that can be followed when upgrading isn’t an option as described here.
This update comes days after another vulnerability (CVE-2022-22954) started being exploited in the wild. This highlights the need to have a rigid process in place to ensure systems remain patched and up to date.