CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
The Cybersecurity and Infrastructure Security Agency (CISA) has warned US government agencies to immediately patch critical vulnerabilities in VMware products. The security authority instructed all federal agencies to remove the actively exploited VMware offerings from their networks if patches can’t be applied by May 23, 2022.
VMware recently disclosed multiple security flaws in five different services that could lead to remote code execution (RCE) and privilege escalation on affected systems. Tracked as CVE-2022-22954 and CVE-2022-22960, the vulnerabilities impact VMware Identity Manager, Workspace ONE Access, vRealize Suite Lifecycle Manager, VMware vRealize Automation, and VMware Cloud Foundation.
“These vulnerabilities pose an unacceptable risk to federal network security,” explained CISA Director Jen Easterly. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”
CISA has advised all government agencies to determine the number of vulnerable VMware products in their environments and mitigate them by 5 PM EDT, May 23, 2022. However, if patching isn’t possible, it has told IT admins to remove all the unpatched products from their networks by the same deadline. CISA recommends that agencies may reconnect these products after applying all the security updates.
CISA details mitigation steps for some affected products
It is important to note that WMware is widely used by US government agencies and the CISA incident response team is helping a “large organization” to mitigate the CVE-2022-22954 flaw. Moreover, it has also found various exploitation attempts at many other companies.
Meanwhile, VMware has outlined a couple of steps to help IT admins mitigate these actively exploited security flaws on select affected products. “VMware recognizes that additional patches are inconvenient for IT staff, but we balance that concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks,” VMware noted in a FAQ document.
More in Security
Microsoft Defender Vulnerability Management Adds New CVE Reporting Feature
Jun 30, 2022 | Rabia Noureen
Microsoft Releases Patches to Address Azure FabricScape Flaw Affecting Linux Workloads
Jun 29, 2022 | Rabia Noureen
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
Most popular on petri