VMware has fixed vulnerabilities in the implementation of OS commands and file downloads in its Carbon Black App Control security product for Windows.
Both problems received a score of 9.1 points out of the maximum 10 on the CVSS scale. Exploiting vulnerabilities allows you to execute arbitrary commands on a Windows-based system to deploy malware, steal data, or scan the network. In both cases, the attacker must log in with administrator rights or a user with high privileges.
VMware representatives did not say whether these vulnerabilities are actively exploited in real attacks.
Both vulnerabilities affect the VMware Carbon Black App Control product, an agent-based data center protection tool that allows system administrators to block servers and prevent any unwanted changes or interference with important systems.
The OS command injection vulnerability (CVE-2022-22951) may allow an authorized attacker with high privileges and network access to the VMware App Control administration interface to remotely execute commands on the server.
The second problem (CVE-2022-22952) may allow an attacker with administrative access to download a specially created file and then execute malicious code on a Windows system running an application management server.