VMware has released security updates to address critical vulnerabilities in the Carbon Black App Control, exploitation of these flaws could allow a malicious actor to execute arbitrary code on affected installations in Windows systems. Tracked as CVE-2022-22951 and CVE-2022-22952, the critical security bugs (CVSS score of 9.1) are described as OS command injection and file upload vulnerabilities. The flaws affect Carbon Black App Control versions 8.5.x, 8.6.x, 8.7.x, and 8.8.x, and have been remediated in versions 8.5.14, 8.6.6, 8.7.4, and 8.8.2.

VMware advises customers to apply updates.

More information on vulnerabilities and updates is available in VMware security advisory – VMSA-2022-0008.