Listen to this Post
The vulnerability is a pre-authentication Server-Side Request Forgery (SSRF) found in the `BlobHandler.ashx` endpoint of the VMware Workspace ONE UEM console . The handler contains logic to proxy HTTP requests based on a specially crafted, encrypted `Url` parameter. To decrypt this parameter, the application uses a `DataEncryption.DecryptString` function. During the decryption process, the function checks for a `keyVersion` identifier within the ciphertext. Researchers discovered that if the `keyVersion` is set to “kv0” or is null, the function bypasses the database key retrieval and falls back to a hardcoded “DefaultMasterKey” . By reverse-engineering this static master key, an attacker can encrypt a malicious URL payload. When the console processes this encrypted value, it decrypts it using the hardcoded key and blindly makes an HTTP request to the attacker-specified internal or external address, allowing the attacker to access sensitive information without authentication .
Platform: VMware Workspace ONE
Version: 20.0.8,20.11.0,21.2.0,21.5.0
Vulnerability : Server-Side Request Forgery
Severity: High (7.5)
Date: Dec 17, 2021
Prediction: Patched Dec 2021
What Undercode Say:
Analytics: The CVE-2021-22054 vulnerability has a CVSS score of 7.5 (High) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low complexity, no privileges required, and high confidentiality impact . The EPSS score is approximately 77.97% to 86.35%, placing it in the 97th percentile, meaning it has a very high probability of exploitation in the wild . GreyNoise observed a coordinated surge in SSRF exploitation attempts on March 9, 2025, involving over 400 IPs targeting this and other vulnerabilities .
Exploit:
Exploit Concept: Encrypt a target URL using the hardcoded master key and send it to the vulnerable handler.
Researchers used a custom C binary to perform encryption, then wrapped it in Python.
Below is a Python simulation of the request structure after encryption.
Generate the encrypted string for the target URL (e.g., http://169.254.169.254/latest/meta-data/)
using the static key. The encryption tooling is not reproducible here due to proprietary DLLs.
ENCRYPTED_PAYLOAD="[bash]"
Target the vulnerable endpoint (Catalog endpoint often more accessible)
curl -k "https://[UEM-SERVER]/catalog/blobhandler.ashx?Url=${ENCRYPTED_PAYLOAD}"
Alternative endpoint
curl -k "https://[UEM-SERVER]/airwatch/blobhandler.ashx?Url=${ENCRYPTED_PAYLOAD}"
Protection from this CVE:
1. Apply the official patch from VMware (versions 20.0.8.37, 20.11.0.40, 21.2.0.27, 21.5.0.37 or later) . 2. If immediate patching is not possible, apply the web.config workaround. 3. Edit the web.config file to block requests to the blobhandler. 4. After modification, restart IIS to apply changes. iisreset 5. Validate the workaround by ensuring the following URLs return 404: curl -k "https://[UEM Console URL]/airwatch/blobhandler.ashx?url=test" curl -k "https://[UEM Console URL]/catalog/blobhandler.ashx?url=test" curl -k "https://[UEM Console URL]/airwatch/blobhandler.ashx?param1=test&url=test" curl -k "https://[UEM Console URL]/catalog/blobhandler.ashx?param1=test&url=test" 6. Restrict network access to the UEM console, allowing only trusted IPs.
Impact:
Successful exploitation allows an unauthenticated, remote attacker to make the UEM console send HTTP requests to internal systems, bypassing firewalls . This can lead to reading sensitive internal metadata (such as AWS IAM credentials from the 169.254.169.254 endpoint) and port-scanning internal networks, effectively using the UEM server as a proxy to compromise the internal network .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

