VMware on Wednesday released software updates to plug two critical security vulnerabilities affecting its Carbon Black App Control platform that could be abused by a malicious actor to execute arbitrary code on affected installations in Windows systems.
Tracked as CVE-2022-22951 and CVE-2022-22952, both the flaws are rated 9.1 out of a maximum of 10 on the CVSS vulnerability scoring system. Credited with reporting the two issues is security researcher Jari Jääskelä.
That said, successful exploitation of the vulnerabilities banks on the prerequisite that the attacker is already logged in as an administrator or a highly privileged user.
VMware Carbon Black App Control is an application allow listing solution that’s used to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates.
CVE-2022-22951 has been described as a command injection vulnerability that could enable an authenticated, high privileged actor with network access to the VMware App Control administration interface to “execute commands on the server due to improper input validation leading to remote code execution.” Read more:https://bit.ly/3tAIqrq