CVE-2022-22954 VMware RCE



Python script to exploit CVE-2022-22954 and then exploit CVE-2022-22960

CVE-2022-22954 PoC

VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954 – PoC SSTI

Usage: [-h] -m SET_MODE [-i IP] [-c CMD]
optional arguments:
  -h, --help            show this help message and exit
  -m SET_MODE, --mode SET_MODE
                        Available modes: shodan | file | manual
  -i IP, --ip IP        Host IP
  -c CMD, --cmd CMD     Command string


  • shodan: Retrieves IP list based on “http.favicon.hash:-1250474341” query
  • file: Put your IP list in ips.txt
  • manual: Pass IP and CMD arguments to -m manual mode


This is just a PoC. Use it at wour own risk and not in production nor real environments. Don’t ask me why the code is like this or if it’s good or bad, I don’t care. I’m not a cool programmer and my code is ugly.

Zoomeye CLI Dork:

zoomeye search 'iconhash:-1250474341'  -num 780  -filter=ip,port

zoomeye search 'banner:/SAAS/auth/login'  -num 900  -filter=ip,port

Shodan CLI Dork:

shodan  search "http.favicon.hash:-1250474341" --fields=ip_str,port --separator ":" --limit 1000 | grep ''

shodan  search 'title:"Workspace ONE Access"' --fields=ip_str,port --separator ":" --limit 1000 | grep ''

The CVE-2022-22954 is a github repository by Chocapik