The U.S. Cybersecurity and Infrastructure Agency issues emergency security directive over VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973, which threat actors are likely to exploit. Credit: MysteryShot / Getty Images The U.S. Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive over two new vulnerabilities in VMware products. According to the advisory, threat actors are likely to exploit CVE-2022-22972 and CVE-2022-22973 in several products including VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, much like they did in relation to CVE 2022-22954 and CVE 2022-22960 in April. CISA has urged organizations to take swift action to mitigate the risks associated with the vulnerabilities.Threat actors will be quick to exploit new VMware vulnerabilitiesOn May 18, 2022, VMware released an update for CVE-2022-22972 and CVE-2022-22973, which CISA said it expects threat actors to quickly exploit. “Exploiting the vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” the security warning read.CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.Mitigating the new VMware vulnerabilitiesTo mitigate the risks surrounding the vulnerabilities, CISA stated that all FCEB agencies must complete the following actions: Enumerate all instances of impacted VMware products on agency networks.For all instances of impacted VMware products, either deploy updates per VMware Security Advisory VMSA-2022-0014 or remove them from the agency network until the update can be applied. “Where updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks,” CISA said.For all instances of impacted VMware products that are accessible from the internet, assume compromise, immediately disconnect from the production network, and conduct threat hunt activities as outlined in the CISA cybersecurity advisory and immediately report any anomalies identified to central@cisa.dhs.gov.“Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied,” the warning stated.As for CISA itself, the agency said will continue to work with partners to monitor for active exploitation associated with the vulnerabilities and will notify agencies and provide additional guidance, as appropriate. “CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this directive,” it added. By June 30, 2022, CISA said it will provide a report to the secretary of Homeland Security, the national cyber director, the director of the Office of Management and Budget, and the federal CISO identifying cross-agency status and outstanding issues. Related content feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Certifications IT Training news GE investigates alleged data breach into confidential projects: Report General Electric has confirmed that it has started an investigation into the data breach claims made by IntelBroker. By Shweta Sharma Nov 27, 2023 3 mins Data Breach opinion A year after ChatGPT’s debut, is GenAI a boon or the bane of the CISO’s existence? You can try to keep the flood of generative AI at bay but embracing it with proper vigilance is likely the best hope to maintain control and prevent the scourge of it becoming shadow AI. By Christopher Burgess Nov 27, 2023 6 mins Generative AI Generative AI Generative AI feature Rise of the cyber CPA: What it means for CISOs New accountant certification rules starting January 2024 could deliver many new cybersecurity-trained accountants. Is this good or bad news for CISOs? By Evan Schuman Nov 27, 2023 7 mins CSO and CISO Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe