Press Release

CISA Issues Emergency Directive Requiring Federal Agencies Mitigate Vulnerabilities in VMware Products

Released
Revised

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 22-03 today requiring federal civilian executive branch agencies running specific VMware products to apply VMware updates or remove the products from agency networks until the update can be applied. For all affected VMware products identified as being accessible from the internet, agencies are directed to assume a compromise and immediately disconnect the product from their network and conduct threat hunt activities.

The directive is in response to observed or expected active exploitation of a series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager (impacted VMware products). Exploiting one of the four vulnerabilities permits attackers to execute remote code on a system without authentication and elevate privileges./p>

CISA also published a cybersecurity advisory with additional details on the threat, detection methods, incident response recommendations, and mitigation guidance.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”

Although ED 22-03 is only directed to federal agencies, CISA encourages public and private sector organizations to review it, along with our cybersecurity advisory, and take steps to mitigate these vulnerabilities before they can be exploited by malicious cyber actors.

Read the full Emergency Directive (ED) 22-03.

About CISA:

As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day. Visit CISA.gov for more information.

Visit CISA on TwitterFacebookLinkedInInstagram 

###