Server-side template injection: when the page renderer runs the attacker's code

Template engines exist to merge data into a page: you give them a template with placeholders and some values, and they produce HTML. Server-side template injection (SSTI) is what happens when attacker-controlled input reaches the engine as part of the template rather than as a value, because template languages are usually small programming languages, and getting one to evaluate your input means getting it to run your code. CVE-2022-22954 is a clean, high-impact example: a FreeMarker template-injection flaw in VMware Workspace ONE Access and Identity Manager that let an unauthenticated attacker inject an Execute object and run shell commands on the appliance. CVSS 9.8, and the appliance in question is the one that brokers single sign-on for the organization.

What the bug is

Workspace ONE Access (and the related Identity Manager) handled certain input through the FreeMarker template engine in a way that let an unauthenticated remote attacker reach template evaluation. By injecting a FreeMarker construct that instantiates an Execute object, the attacker achieves remote code execution as the VMware service user. VMware shipped a patch on April 6, 2022, and Rapid7 documented widespread exploitation shortly after. CISA’s advisory AA22-138b noted likely-APT actors exploiting it, often chained with CVE-2022-22960 (a local privilege escalation) to reach root, and commodity actors dropping coin miners. The detail worth flagging: attackers reverse-engineered VMware’s patch and had a working exploit within roughly 48 hours, then hit unpatched appliances hard.

Two things worth internalizing

SSTI is its own bug class, and it’s everywhere templates meet user input. FreeMarker here, but the pattern recurs across Jinja2 (Python), Velocity and FreeMarker (Java), Twig and Smarty (PHP), and others. The mistake is rendering user-controlled data as a template instead of passing it as data to a fixed template. The fixes are well known: never compile or evaluate a template built from user input; pass user data only as bound variables into a static template; use the engine’s sandbox or restricted mode if it has one; and treat any feature that lets users supply template syntax (custom email templates, report formats, “personalization” tokens) as high-risk and lock down which constructs are allowed. If you build with a template engine, know whether user input can ever reach it as template rather than as a value.

The patch is a roadmap, and the window is short. The 48-hour turnaround from VMware’s fix to a working public exploit is the operational lesson. A patch diff tells a skilled attacker exactly what changed and therefore where the bug is, so the gap between “patch released” and “exploit available” for an internet-facing appliance is now measured in hours to a couple of days, not weeks. For internet-facing infrastructure, “we’ll get to it next maintenance cycle” loses the race; these need emergency patching.

And the asset matters: Workspace ONE Access is an identity and access-management appliance, the thing that authenticates users into everything else. RCE on the identity broker is a path to the keys for the whole environment, which is why APTs went after it specifically.

What to do

• Patch Workspace ONE Access / Identity Manager to a fixed version immediately, and patch the chained CVE-2022-22960 too. Treat identity-infrastructure bugs as emergencies.
• Get the appliance’s web interface off the open internet where possible, behind VPN or strict access controls. Much of the exploitation hit internet-facing instances.
• Assume compromise on exposed, unpatched appliances. With exploitation within 48 hours of the patch and APT involvement, an instance that lagged should be investigated for web shells, the VMware process spawning shells, coin miners, and the privilege-escalation follow-on. Given it’s the identity layer, also review for credential and token theft, and rotate accordingly.
• For developers: audit template usage. Find every place user input could reach a template engine, ensure it’s passed as data not template, and enable sandboxing. SSTI is preventable by construction.

The reframe is to recognize template injection as a first-class web vulnerability and to treat identity appliances as crown-jewel infrastructure. CVE-2022-22954 combined both: a template engine tricked into executing code, on the system that controls who gets into everything, exploited within two days of the fix shipping. Don’t render untrusted input as a template, patch internet-facing identity infrastructure on the vendor’s clock rather than yours, and assume the exploit exists the moment the patch does. We flag the SSTI and identity-broker entries with extra weight, because one turns a web request into code execution and the other turns code execution into the whole directory.

Sources

• CISA AA22-138b: Threat actors chaining unpatched VMware vulnerabilities for full system control — 2022-05-18
• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2022-22954 — 2022-04
• Rapid7: Widespread exploitation of VMware Workspace ONE Access CVE-2022-22954 — 2022-04-29