CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23


The Cybersecurity and Infrastructure Security Agency (CISA) has warned US government agencies to immediately patch critical vulnerabilities in VMware products. The security authority instructed all federal agencies to remove the actively exploited VMware offerings from their networks if patches can’t be applied by May 23, 2022.

VMware recently disclosed multiple security flaws in five different services that could lead to remote code execution (RCE) and privilege escalation on affected systems. Tracked as CVE-2022-22954 and CVE-2022-22960, the vulnerabilities impact VMware Identity Manager, Workspace ONE Access, vRealize Suite Lifecycle Manager, VMware vRealize Automation, and VMware Cloud Foundation.

“These vulnerabilities pose an unacceptable risk to federal network security,” explained CISA Director Jen Easterly. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”

CISA has advised all government agencies to determine the number of vulnerable VMware products in their environments and mitigate them by 5 PM EDT, May 23, 2022. However, if patching isn’t possible, it has told IT admins to remove all the unpatched products from their networks by the same deadline. CISA recommends that agencies may reconnect these products after applying all the security updates.

CISA details mitigation steps for some affected products

It is important to note that WMware is widely used by US government agencies and the CISA incident response team is helping a “large organization” to mitigate the CVE-2022-22954 flaw. Moreover, it has also found various exploitation attempts at many other companies.

Meanwhile, VMware has outlined a couple of steps to help IT admins mitigate these actively exploited security flaws on select affected products. “VMware recognizes that additional patches are inconvenient for IT staff, but we balance that concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks,” VMware noted in a FAQ document.