CVE-2022-22955
Description
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VMware Workspace ONE Access OAuth2 ACS framework contains authentication bypass vulnerabilities allowing unauthenticated operations.
Vulnerability
VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager contain an authentication bypass vulnerability in the OAuth2 ACS framework, identified as CVE-2022-22955 [1]. This vulnerability affects the OAuth2 authentication framework and allows a malicious actor to bypass the authentication mechanism and execute any operation due to exposed endpoints [1]. Affected versions are those prior to the patches released in April 2022, as referenced in VMSA-2022-0011 [1]. No other configuration is required beyond having a vulnerable version of the software deployed.
Exploitation
A malicious actor with network access to the affected product can exploit this vulnerability by sending crafted requests to exposed endpoints in the OAuth2 ACS framework [1]. No authentication is required for the attacker to trigger the bypass. The vulnerability does not require any user interaction or special privileges beyond network connectivity to the vulnerable service [1].
Impact
Successful exploitation allows the attacker to bypass the authentication mechanism and execute any operation on the affected system [1]. This leads to complete compromise of confidentiality, integrity, and availability (CIA) of the affected VMware products, as the attacker can perform arbitrary operations without valid credentials [1]. The impact scope is broad, affecting multiple VMware products including Workspace ONE Access, Identity Manager, and vRealize Automation.
Mitigation
VMware has released patches to remediate these vulnerabilities, as detailed in VMSA-2022-0011 [1]. Fixed versions are available for all impacted products: VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager [1]. VMware recommends applying the appropriate patches listed in the 'Fixed Version' column of the Resolution Matrix in the advisory [1]. No workarounds are mentioned in the available references, so patching is the primary mitigation. CVE-2022-22955 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- VMware/Workspace ONE Accessdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.vmware.com/security/advisories/VMSA-2022-0011.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.