In a security advisory published Aug. 2, 2022, VMware urged administrators to review and patch a critical vulnerability that allows authentication bypass affecting local domain users and multiple products.
Being tracked at CVE-2022-31656, the VMware vulnerability creates the potential for a malicious actor with network access to the UI to obtain administrative access without the need to authenticate.
Information on each of the included CVEs, links to patching information and available workarounds can be found in VMware’s security advisory. You can also access VMware’s support document that offers FAQs on this critical vulnerability.
This vulnerability affects the following VMware products:
Nuspire is not affected by the VMware auth bypass vulnerability.
Fortunately, patches have been released for this vulnerability, as well as a workaround for those who cannot patch immediately. It’s important to note that patching is the only way to fully address the vulnerability, so it’s advised to use the workaround solution only if absolutely necessary.
Additionally, patches were released for a high-level remote code execution (RCE) vulnerability being tracked as CVE-2022-31658. This threat does not have any workarounds and must be patched.
VMware users should review VMware’s security advisory containing all CVEs and apply applicable patches or workarounds as soon as possible in accordance with their documentation.