This indicates an attack attempt against an Server Side Template Injection vulnerability in VMware Workspace ONE Access and Identity Manager.
The vulnerability is due to insufficient sanitizing of user supplied custom templates. A remote attacker can exploit this to execute arbitrary code within the context of the target system.

description-logoOutbreak Alert

Fortinet researchers observed VMware vulnerability (CVE-2022-22954) being exploited in the wild and leveraged to deliver multiple malware payloads such as cryptocurrency miners and ransomware on the affected machines. During August 2022, more than 50,000 devices were seen in attack attempts trying to exploit this vulnerability.

View the full Outbreak Alert Report

affected-products-logoAffected Products

VMware Workspace ONE Access,,,
VMware Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3
VMware Cloud Foundation (vIDM) 4.x
vRealize Suite Lifecycle Manager (vIDM) 8.x

Impact logoImpact

System Compromise: Remote attackers can gain control of vulnerable systems.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.

Telemetry logoTelemetry


IPS (Regular DB)
IPS (Extended DB)

Version Updates

Date Version Detail
2023-09-11 25.635 Sig Added
2023-09-06 25.633 Sig Added
2022-09-19 22.396 Sig Added
2022-05-16 20.316 Default_action:pass:drop
2022-04-13 20.297