CYBERSECURITY DIRE WARNING ISSUED FOR VMWare PRODUCTS

The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive (ED) 22-03 and released a Cybersecurity Advisory (CSA) in response to the active and expected exploitation of multiple vulnerabilities in the following VMware products:

  • VMware Workspace ONE Access (Access),
  • VMware Identity Manager (vIDM),
  • VMware vRealize Automation (vRA),
  • VMware Cloud Foundation, and
  • vRealize Suite Lifecycle Manager.

These products, because of critical security flaws identified by CISA, should be either patched immediately or completely removed from your network.

This advisory was issued as a dire warning from CISA based on concerns after the last time critical security flaws were discovered in VMware products. Following the previous warning, malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours after they were disclosed and quickly began exploiting these disclosed vulnerabilities in unpatched devices. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which VMware disclosed on May 18, 2022. 

CISA has strongly encouraged all organizations to deploy updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in the CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in the CSA.

Patches that protect against the exploitation of these flaws are already available. VMware likewise advises customers using the impacted products to apply them as soon as possible, describing the ramifications of delaying as “serious.”

REMEMBER: Every day you don’t patch, you have a target on your back.

CISA issued the same warning to federal agencies, saying: “CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).”

Since this May 18, 2022, release, the CISA has continued to update alerts with additional threat actors’ activity, victims tied to this warning, and more identified vulnerabilities. The updated information can be found on the CISA website — click HERE for the specific page.