IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US security agency issues emergency alert over vulnerable VMware products

A string of actively exploited critical vulnerabilities across five popular VMware products has been described as an "unacceptable risk" to government systems

The US’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency advisory instructing all federal agencies to patch or remove a number of actively exploited VMware products.

A total of five different VMware services have been found to be vulnerable to a chained attack that could lead to remote code execution (RCE) and escalation of privileges to root.

CISA said that “these vulnerabilities pose an unacceptable risk” to federal agencies and the situation required “emergency action”.

The authority’s instructions to either patch immediately, or remove the affected products, is mandatory for all federal agencies and highly advised for the private sector.

It’s currently unknown who is exploiting the VMware vulnerabilities, but CISA said it is likely to be an Advanced Persistent Threat (APT) hacking group – a type of group that is often backed by nation-states.

A CISA incident response team has already been deployed to one large organisation that has reported evidence of an attack, and “multiple other large organisations” have also been affected, according to intelligence.

The affected VMware products are VMware Workspace ONE Access (Access), VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Two vulnerabilities in the affected products were patched on 6 April, though CISA said cyber attackers were able to reverse engineer these updates and start exploiting them within 48 hours after the update’s release.

Tracked as CVE-2022-22954 and CVE-2022-22960, the vulnerabilities are RCE and privilege escalation flaws with CVSSv3 severity scores of 9.8 and 7.8 respectively.

VMware released patches for two additional vulnerabilities on Wednesday, tracked as CVE-2022-22972 and CVE-2022-22973.

The first is an authentication bypass flaw in VMware Workspace ONE Access, Identity Manager, and vRealize Automation and has the more serious severity score of 9.8. CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access, and its Identity Manager suite.

CISA believes that the same APT group may try to reverse engineer these two new vulnerabilities and combine them with the two from April to create an attack chain that could lead to a full system compromise.

Federal agencies have been told to assess how many vulnerable VMware products they have running on their network and either apply VMware’s patches, or remove all the products until they can be patched.

Agencies have also been told that if they had vulnerable products exposed to the internet that they should assume these have already been compromised and begin active threat hunting, reporting any abnormalities to CISA.

Related Resource

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Yellow whitepaper cover with two flying robots, with desktop computers inside their headsFree Download

Agencies can reconnect products only if they found no anomalies and all the necessary updates have been applied.

CISA’s 2021 binding operational directive that mandated its growing list of known vulnerabilities that must be patched by federal agencies also applies for both CVE-2022-22954 and CVE-2022-22960.

The two flaws were added to the list of must-patch security issues in April; patching them is compulsory for all departments tasked with safeguarding federal information and information systems.

An earlier 2019 operational directive (19-02) also applies to this case, one that compelled the same federal and government agencies to ensure cyber hygiene is addressed in internet-facing systems.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Broadcom formally confirms $61 billion acquisition of VMware
mergers and acquisitions

Broadcom formally confirms $61 billion acquisition of VMware

26 May 2022
Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers
ransomware

Linux-based Cheerscrypt ransomware found targeting VMware ESXi servers

26 May 2022
Broadcom reportedly looking at acquiring cloud company VMware
mergers and acquisitions

Broadcom reportedly looking at acquiring cloud company VMware

23 May 2022
Unlocking the value of data with data innovation acceleration
Whitepaper

Unlocking the value of data with data innovation acceleration

12 May 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022