Detect Omnissa Workspace ONE UEM Server-Side Request Forgery (CVE-2021-22054) in Splunk
Detects exploitation of CVE-2021-22054, a Server-Side Request Forgery (SSRF) vulnerability in Omnissa (formerly VMware) Workspace ONE UEM. An unauthenticated attacker can send crafted HTTP requests to the UEM server, causing it to make arbitrary outbound HTTP/HTTPS requests to internal or external resources. This can be leveraged to scan internal networks, access cloud metadata services (e.g., AWS IMDS), or pivot to internal services not directly reachable by the attacker. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=web OR index=network OR index=endpoint earliest=-1h
| eval ssrf_target=if(match(url, "169\.254\.169\.254|metadata\.google\.internal|100\.100\.100\.200|localhost|127\.0\.0\.1|::1"), 1, 0)
| eval uem_path=if(match(uri_path, "/DeviceManagement/|/AirWatch/|/API/mdm/|/mGroups/"), 1, 0)
| where ssrf_target=1 OR (uem_path=1 AND (match(uri_query, "169\.254\.169\.254|localhost|127\.0\.0\.1") OR match(referer, "169\.254\.169\.254")))
| eval cve="CVE-2021-22054"
| eval alert_severity="high"
| stats count AS attempt_count, values(url) AS targeted_urls, values(src_ip) AS source_ips, dc(src_ip) AS unique_sources, earliest(_time) AS first_seen, latest(_time) AS last_seen BY host, cve, alert_severity
| where attempt_count > 0
| sort -attempt_count
| table host, attempt_count, unique_sources, source_ips, targeted_urls, first_seen, last_seen, cve, alert_severitySearches web, network, and endpoint indexes for SSRF indicators associated with Workspace ONE UEM paths, flagging requests that target cloud metadata endpoints or internal loopback addresses.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Internal monitoring tools performing connectivity checks through the UEM proxy
- Authorized penetration testing activities generating SSRF payloads
- Misconfigured third-party MDM integrations forwarding internal URLs
- Network appliances performing NAT that make internal IPs appear in web logs
Other platforms for CVE-2021-22054
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SSRF via Workspace ONE UEM Unauthenticated Endpoint to IMDS
Expected signal: IIS access log entry for /DeviceManagement/enrollment with url= parameter containing 169.254.169.254; outbound network connection from UEM server to 169.254.169.254:80
- Test 2SSRF Internal Network Port Scan via Workspace ONE UEM
Expected signal: Multiple IIS log entries within seconds for /AirWatch/ paths with url= parameters containing RFC1918 addresses on varying ports; timing differences in responses reveal open vs closed ports
- Test 3SSRF to Internal Administrative Interface via Redirect Parameter
Expected signal: IIS log entry with redirect= parameter pointing to internal host; potential Windows Defender firewall log showing outbound connection from UEM process to internal admin host; Sysmon Event ID 3 network connection from IIS worker process (w3wp.exe) to internal IP
- Test 4SSRF File URI Scheme Attempt for Local File Read
Expected signal: IIS log entry with file:// URI in URL parameter; absence of outbound network connection (file read is local); potential application error log entries if file:// is rejected by URL validation
Unlock Pro Content
Get the full detection package for CVE-2021-22054 including response playbook, investigation guide, and atomic red team tests.