CVE-2021-22054 Microsoft Sentinel · KQL

Detect Omnissa Workspace ONE UEM Server-Side Request Forgery (CVE-2021-22054) in Microsoft Sentinel

Detects exploitation of CVE-2021-22054, a Server-Side Request Forgery (SSRF) vulnerability in Omnissa (formerly VMware) Workspace ONE UEM. An unauthenticated attacker can send crafted HTTP requests to the UEM server, causing it to make arbitrary outbound HTTP/HTTPS requests to internal or external resources. This can be leveraged to scan internal networks, access cloud metadata services (e.g., AWS IMDS), or pivot to internal services not directly reachable by the attacker. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Reconnaissance Discovery Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ssrf_indicators = dynamic(["169.254.169.254", "metadata.google.internal", "100.100.100.200", "localhost", "127.0.0.1", "::1"]);
let workspace_one_paths = dynamic(["/DeviceManagement/", "/AirWatch/", "/API/", "/mGroups/"]);
let time_window = 1h;
union
(
  CommonSecurityLog
  | where TimeGenerated >= ago(time_window)
  | where DeviceProduct has_any ("Workspace ONE", "AirWatch", "VMware UEM")
  | where RequestURL has_any (ssrf_indicators) or DestinationHostName has_any (ssrf_indicators)
  | project TimeGenerated, SourceIP, DestinationIP, DestinationHostName, RequestURL, Activity, DeviceProduct, AdditionalExtensions
),
(
  W3CIISLog
  | where TimeGenerated >= ago(time_window)
  | where csUriStem has_any (workspace_one_paths)
  | where csUriQuery has_any (ssrf_indicators) or csReferer has_any (ssrf_indicators)
  | project TimeGenerated, cIP, csMethod, csUriStem, csUriQuery, scStatus, csHost
),
(
  DeviceNetworkEvents
  | where TimeGenerated >= ago(time_window)
  | where InitiatingProcessFileName has_any ("Airwatch", "AwApi", "UEM")
  | where RemoteUrl has_any (ssrf_indicators) or RemoteIP in ("169.254.169.254", "127.0.0.1")
  | project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, ActionType
)
| extend AlertSeverity = "High"
| extend CVE = "CVE-2021-22054"
| order by TimeGenerated desc
high severity medium confidence

Detects SSRF exploitation attempts against Workspace ONE UEM by correlating IIS web logs, CommonSecurityLog entries, and network events for requests targeting internal metadata services or loopback addresses initiated from or through the UEM process.

Data Sources

CommonSecurityLogW3CIISLogDeviceNetworkEvents

Required Tables

CommonSecurityLogW3CIISLogDeviceNetworkEvents

False Positives & Tuning

  • Legitimate health check processes that probe internal endpoints from the UEM server
  • Vulnerability scanners or internal security tools targeting the UEM server during authorized assessments
  • Misconfigured integrations that inadvertently send requests to loopback or link-local addresses
  • Load balancer or proxy health probes that surface as internal IP requests in web logs

Other platforms for CVE-2021-22054

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SSRF via Workspace ONE UEM Unauthenticated Endpoint to IMDS

    Expected signal: IIS access log entry for /DeviceManagement/enrollment with url= parameter containing 169.254.169.254; outbound network connection from UEM server to 169.254.169.254:80

  2. Test 2SSRF Internal Network Port Scan via Workspace ONE UEM

    Expected signal: Multiple IIS log entries within seconds for /AirWatch/ paths with url= parameters containing RFC1918 addresses on varying ports; timing differences in responses reveal open vs closed ports

  3. Test 3SSRF to Internal Administrative Interface via Redirect Parameter

    Expected signal: IIS log entry with redirect= parameter pointing to internal host; potential Windows Defender firewall log showing outbound connection from UEM process to internal admin host; Sysmon Event ID 3 network connection from IIS worker process (w3wp.exe) to internal IP

  4. Test 4SSRF File URI Scheme Attempt for Local File Read

    Expected signal: IIS log entry with file:// URI in URL parameter; absence of outbound network connection (file read is local); potential application error log entries if file:// is rejected by URL validation

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2021-22054 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0043ReconnaissanceTA0007DiscoveryTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1046Network Service DiscoveryT1552.005Cloud Instance Metadata APIT1210Exploitation of Remote Services

Same Tactic: Reconnaissance

Popular Detections