Malicious actors might exploit the four vulnerabilities for remote code execution, which sees hackers force an impacted system to run malicious code, or to elevate the privileges of accounts they’ve compromised.
The issue impacts VMware Workspace ONE Access (Access), a digital workspace platform; VMware Identity Manager (vIDM), the platform’s “identity and access management component”; VMware vRealize Automation (vRA), an infrastructure automation platform; VMware Cloud Foundation, a hybrid cloud platform; and vRealize Suite Lifecycle Manager, an “application life cycle and content management solution.”
“These vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”
The agency urges organizations to stop using the products until they’ve updated them, which they should do as soon as possible, CISA said. Those updates are detailed here.
Entities that had the VMware products connected to the Internet should promptly disconnect, assume they’ve been compromised and begin “threat hunt activities.”
In April, CISA learned that malicious actors were exploiting two VMware product vulnerabilities. On May 18, VMware reported another two vulnerabilities, and CISA believes bad actors will soon develop ways to exploit those as well.
On April 6, VMware released updates to fix the first two vulnerabilities, according to CISA. But within only 48 hours of that release, malicious actors reverse engineered the updates and created exploits that could be leveraged against devices that had not yet applied the updates.
CISA believes perpetrators may be conducting advanced persistent threats (APTs), a strategy commonly used by nation-state actors.