## https://sploitus.com/exploit?id=FB4E2E7D-EBA0-5AD8-A2C0-6EE27D053537
# CVE-2022-22954
This package detects a subset of
[CVE-2022-22954](https://nvd.nist.gov/vuln/detail/CVE-2022-22954) attempts and
exploits, generates a notice, and also includes the exploit URI and the first
4KB of the data that was sent back to the attacker as a response. While
detecting this attack is more straightforward from [log
analysis](https://corelight.com/blog/finding-cve-2022-22954-with-zeek), this
package helps by logging the response sent back to the attacker to aid in
incidence response.
## Sample Notice
Two notices can be generated from this package:
* `VMWareRCE2022::ExploitAttempt`, and
* `VMWareRCE2022::ExploitSuccess`
The first is generated when an attack is attempted, but does not necessarily
succeed. The second is fired only when a successful exploit is detected and
should be investigated immediately. Below is an example of a successful exploit
notice.
```
1223906136.104000 C5uvDn3o7ejGdRxeVb - - - - - - - - VMWareRCE2022::ExploitSuccess 192.168.0.1 successfully exploited 173.37.145.84. See sub for uri/response. uri: /catalog-portal/ui/oauth/verify?error=&deviceUdid=${{freemarker.template.utility.Execute?new()(whoami)}}; response: www-data\x0a - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
```
## Installing
This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-22954
```
Corelight customers can install it by updating the CVE bundle.