CVE-2021-22054
published 2021-12-17CVE-2021-22054: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an…
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-23
Exploited in the wild
EPSS
97.71%
99.9th percentile
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | workspace_one_uem_console | >= 20.0.8.0 < 20.0.8.36 | 20.0.8.36 |
| vmware | workspace_one_uem_console | >= 20.11.0.0 < 20.11.0.40 | 20.11.0.40 |
| vmware | workspace_one_uem_console | >= 21.2.0.0 < 21.2.0.27 | 21.2.0.27 |
| vmware | workspace_one_uem_console | >= 21.5.0.0 < 21.5.0.37 | 21.5.0.37 |
Detection & IOCsextracted from sources · hover to see the quote
url/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A↗
path/Catalog/BlobHandler.ashx
path/AirWatch/BlobHandler.ashx
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Catalog/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068228; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2026_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AirWatch/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068227; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Unknown, tag Exploit, tag CISA_KEV, updated_at 2026_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests are unauthenticated GET requests to BlobHandler.ashx with a `Url=` parameter containing a Base64/encrypted payload; no authentication headers are required. ↗
- →Two attack paths exist: requests to `/Catalog/BlobHandler.ashx` (M2, sid:2068228) and `/AirWatch/BlobHandler.ashx` (M1, sid:2068227) — both with a `Url=` query parameter. Monitor both paths.
- →FOFA fingerprinting for exposed UEM consoles: look for banner or header containing `/AirWatch/default.aspx` to identify in-scope assets.
- →Nuclei template matches on HTTP 200 response containing the string `Interactsh Server` in the body, confirming out-of-band SSRF callback.
- →Snort/Suricata rules should be deployed at the perimeter with TLS decryption enabled (`tls_state TLSDecrypt`, `deployment SSLDecrypt`) as traffic may be HTTPS.
- ·The `Url=` parameter value in exploit requests is encrypted/encoded (not plain-text URL), making simple string-match on the parameter value insufficient; detection must key on the path and parameter name rather than the value.
- ·Snort/Suricata rules require TLS inspection (`tls_state TLSDecrypt`) to be effective; without SSL decryption at the perimeter, encrypted exploit traffic will not be detected.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqxh-cq77-r6qh: VMware Workspace ONE UEM console 20
ghsa_unreviewed·2021-12-18
CVE-2021-22054 [HIGH] CWE-918 GHSA-xqxh-cq77-r6qh: VMware Workspace ONE UEM console 20
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
VulnCheck
Omnissa Workspace ONE Server-Side Request Forgery
vulncheck·2021·CVSS 7.5
CVE-2021-22054 [HIGH] CWE-918 Omnissa Workspace ONE Server-Side Request Forgery
Omnissa Workspace ONE Server-Side Request Forgery
Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Affected: Omnissa Workspace One UEM
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/new-ssrf-exploitation-surge; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/9d922ab3c39a
Remediation Due: 2026-0
CISA
Omnissa Workspace ONE Server-Side Request Forgery
cisa·2026-03-09·CVSS 7.5
CVE-2021-22054 [HIGH] CWE-918 Omnissa Workspace ONE Server-Side Request Forgery
Vulnerability: Omnissa Workspace ONE Server-Side Request Forgery
Affected: Omnissa Workspace One UEM
Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://web.archive.org/web/20211222154335/https://www.vmware.com/security/advisories/VMSA-2021-0029.html ; https://nvd.nist.gov/vuln/detail/CVE-2021-22054
Remediation Due Date: 2026-03-23
Suricata
ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)
suricata·2026-03-13·CVSS 7.5
CVE-2021-22054 [HIGH] ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)
ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M2 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Catalog/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068228; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence
Suricata
ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)
suricata·2026-03-13·CVSS 7.5
CVE-2021-22054 [HIGH] ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)
ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AirWatch/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068227; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidenc
Nuclei
VMWare Workspace ONE UEM - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2021-22054 [HIGH] VMWare Workspace ONE UEM - Server-Side Request Forgery
VMWare Workspace ONE UEM - Server-Side Request Forgery
VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
Template:
id: CVE-2021-22054
info:
name: VMWare Workspace ONE UEM - Server-Side Request Forgery
author: h1ei1
severity: high
description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with netw
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
blogs_greynoiseio·2025-03-11
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2021-12-17
Published
2026-03-09
Added to CISA KEV
Exploited in the wild