CISA urges govt agencies to remove or update VMWare products
US cyber watchdog claims that VMware‘s vulnerabilities pose an unacceptable risk to Federal agencies and require emergency action.
The Cybersecurity and Infrastructure Security Agency (CISA) warned of multiple vulnerable products made by digital services company VMware and instructed federal agencies to either update or remove the products altogether.
CISA indicated that the flaws affect VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Last month VMware patched two flaws (CVE-2022-22954 and CVE-2022-22960). However, according to CISA, threat actors reverse-engineered the vendor updates to develop an exploit within 48 hours and began attacking unpatched devices.
VMware issued updates for two more vulnerabilities (CVE-2022-22972 and CVE-2022-22973) on Wednesday and CISA believes that malicious actors will quickly develop a capability to exploit all four flaws.
„CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch agencies and require emergency action,“ reads a directive CISA issued yesterday.
CISA‘s advisory instructed federal agencies to assume that devices with VMware products connected to the internet are compromised.
According to VMware‘s blog post about the issue, the vulnerabilities are an authentication bypass and a privilege escalation.
“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” reads the company’s statement.
More from Cybernews
Subscribe to our newsletter