title: CVE-2022-31659 VMware Workspace ONE Access RCE
id: efdb2003-a922-48aa-8f37-8b80021a9706
status: test
description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
references:
    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-31659
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'POST'
        cs-uri-query|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker
    condition: selection
falsepositives:
    - Vulnerability scanners
    - Legitimate access to the URI
level: medium