VMware has patched two Critical vulnerabilities (CVE-2022-22951, CVE-2022-22952) in VMware Carbon Black App Control (AppC).
An attacker could exploit these vulnerabilities and take control of an affected system.
The first issue patched is a Critical OS command injection vulnerability CVE-2022-22951 (CVSS score of 9.1) in VMware Carbon Black App Control.
“An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution,” VMware wrote in an advisory.
The second issue addressed is a Critical file upload vulnerability CVE-2022-22952 (CVSS score of 9.1) in VMware Carbon Black App Control.
“A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file,” VMware added.
VMware Carbon Black App Control versions 8.8.2, 8.7.4, 8.6.6, or 8.5.14 address each of the vulnerabilities.