cbcvebase.
CVE-2021-22054
published 2021-12-17

CVE-2021-22054: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an…

PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-23
Exploited in the wild
EPSS
97.71%
99.9th percentile
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

Affected

4 ranges
VendorProductVersion rangeFixed in
vmwareworkspace_one_uem_console>= 20.0.8.0 < 20.0.8.3620.0.8.36
vmwareworkspace_one_uem_console>= 20.11.0.0 < 20.11.0.4020.11.0.40
vmwareworkspace_one_uem_console>= 21.2.0.0 < 21.2.0.2721.2.0.27
vmwareworkspace_one_uem_console>= 21.5.0.0 < 21.5.0.3721.5.0.37

Detection & IOCsextracted from sources · hover to see the quote

url/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A
path/Catalog/BlobHandler.ashx
path/AirWatch/BlobHandler.ashx
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Catalog/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068228; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2026_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AirWatch/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068227; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Unknown, tag Exploit, tag CISA_KEV, updated_at 2026_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests are unauthenticated GET requests to BlobHandler.ashx with a `Url=` parameter containing a Base64/encrypted payload; no authentication headers are required.
  • Two attack paths exist: requests to `/Catalog/BlobHandler.ashx` (M2, sid:2068228) and `/AirWatch/BlobHandler.ashx` (M1, sid:2068227) — both with a `Url=` query parameter. Monitor both paths.
  • FOFA fingerprinting for exposed UEM consoles: look for banner or header containing `/AirWatch/default.aspx` to identify in-scope assets.
  • Nuclei template matches on HTTP 200 response containing the string `Interactsh Server` in the body, confirming out-of-band SSRF callback.
  • Snort/Suricata rules should be deployed at the perimeter with TLS decryption enabled (`tls_state TLSDecrypt`, `deployment SSLDecrypt`) as traffic may be HTTPS.
  • ·The `Url=` parameter value in exploit requests is encrypted/encoded (not plain-text URL), making simple string-match on the parameter value insufficient; detection must key on the path and parameter name rather than the value.
  • ·Snort/Suricata rules require TLS inspection (`tls_state TLSDecrypt`) to be effective; without SSL decryption at the perimeter, encrypted exploit traffic will not be detected.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.