The Cybersecurity and Infrastructure Security Agency (CISA) today issued an emergency directive to Federal government civilian branch agencies running several VMware products to apply updates to those, or remove them from agency networks until updates can be made.
CISA said in a press release that the emergency directive responds to “observed or expected active exploitation” of a “series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager (impacted VMware products).”
“Exploiting one of the four vulnerabilities permits attackers to execute remote code on a system without authentication and elevate privileges,” CISA said.
“For all affected VMware products identified as being accessible from the internet, agencies are directed to assume a compromise and immediately disconnect the product from their network and conduct threat hunt activities,” the agency said.
In its emergency directive, CISA ordered all Federal civilian agencies to complete patching by May 23, and if not, to take the affected products offline. The agency said the emergency directive would remain in effect “until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.”
“These vulnerabilities pose an unacceptable risk to Federal network security,” commented CISA Director Jen Easterly.
“CISA has issued this Emergency Directive to ensure that Federal civilian agencies take urgent action to protect their networks,” she said. “We also strongly urge every organization – large and small – to follow the Federal government’s lead and take similar steps to safeguard their networks.”