1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. VMware vCenter Server Incorrect Default File Permissions Vulnerability

Known Exploited Vulnerabilities CVE-2022-22948 Mappings

The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability secondary_impact T1068 Exploitation for Privilege Escalation
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
  1. https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
  2. https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability primary_impact T1212 Exploitation for Credential Access
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
  1. https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
  2. https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/
CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability exploitation_technique T1078 Valid Accounts
Comments
This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter's internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges.
References
  1. https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
  2. https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/