CISA has issued Emergency
Directive (ED) 22-03 and released a Cybersecurity Advisory
(CSA) in response to active and expected exploitation of multiple
vulnerabilities in the following VMware products: VMware Workspace ONE Access
(Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA),
VMware Cloud Foundation, vRealize Suite Lifecycle Manager.
The CSA, AA22-138B:
Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control,
provides indicators of compromise and detection signatures from CISA as well as
trusted third parties to assist administrators with detecting and responding to
active exploitation of CVE-2022-22954 and CVE-2022-22960. Malicious cyber
actors were able to reverse engineer the vendor updates to develop an exploit
within 48 hours and quickly began exploiting these disclosed vulnerabilities in
unpatched devices. Based on this activity, CISA expects malicious cyber actors
to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973,
which were disclosed by VMware on May 18, 2022.
ED 22-03 directs
all Federal Civilian Executive Branch agencies to enumerate all instances of
affected VMware products and either deploy updates provided in VMware
Security Advisory VMSA-2022-0014, released May 18, 2022, or remove those
instances from agency networks.
CISA strongly encourages all organizations to deploy updates provided in VMware
Security Advisory VMSA-2022-0014 or remove those instances from
networks. CISA also encourages organizations with affected VMware products that
are accessible from the internet to assume compromise and initiate threat
hunting activities using the detection methods provided in the CSA. If
potential compromise is detected, administrators should apply the incident
response recommendations included in the CSA.