Virtualization technology giant VMware released an urgent and high-priority patch on Tuesday to address an authentication bypass vulnerability in its Workspace ONE Access, Identity Manager, and vRealize Automation products.
The vulnerability carries VMware’s highest severity rating (CVSSv3 base score of 9.8) and should be patched without delay, the company said in an advisory.
“VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the user interface may be able to gain administrative access without having need to authenticate,” VMware warned.
“This critical vulnerability should be patched or mitigated immediately as directed by [the advisory]”Vmware said.
[ READ: VMware Confirms Workspace One Exploits in the Wild ]
The authentication bypass vulnerability, identified as CVE-2022-31656, was discovered and reported by PetrusViet (a member of VNG Security).
The company said it was not aware of any exploit in the wild, but in an additional note, VMware confirmed that this flaw is a variant of a previously patched issue (VMSA-2022-0014 ) for which an exploit code is publicly available.
The latest patches also cover at least 9 documented vulnerabilities affecting VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation product lines.
Related: VMware Draws Attention to High-Severity vCenter Server Flaw
Related: Critical Code Execution Flaw Haunts VMware Cloud Director
Related: VMware confirms Workspace One exploits in the wild