CISA orders federal civilian agencies via an emergency directive to immediately patch critical flaws found in VMware products. The security agency published the directive after discovering the wide exploitation of the CVE-2022-22954 against a large organisation found by their incident response team.
CISA added that they had received information on the observed exploitation, including some IOCs or indicators of compromise from other large groups from trusted third-party providers.
Cybersecurity experts have also warned about several state-backed operators exploiting two critical flaws, CVE 2022-22954 and CVE 2022-22960, affecting VMware products such as VMware Workspace ONE Access (Access), VMware Cloud Foundation, VMware vRealize Automation (vRA), VMware Identity Manager (vIDM), and vRealize Suite Lifecycle Manager.
The emergency directive highlighted that threat actors have successfully reversed engineered VMware critical flaws despite the software firm releasing patches last April 6.
After determining that the discovered vulnerabilities pose threats against Federal Civilian Executive Branch (FCEB) agencies, CISA directs firms and agencies to act on the issue as soon as possible.
Moreover, two other VMware critical flaws dubbed CVE-2022-22972 and CVE-2022-22973 are at risk of malicious exploitation in the same way hackers have impacted existing VMware products. Reports revealed that these vulnerabilities are chained altogether by the threat actors during an attack.
For instance, last month, a threat actor with advanced network access to a web interface utilised VMware to abuse CVE-2022-22954 and launch an arbitrary shell command. Afterwards, the malicious actor proceeded to abuse CVE-2022-22960 to escalate their privileges to root access, where they can wipe logs, upgrade user permissions, and move laterally across other networks.
In another report, CISA spotted separate hackers abusing critical flaw CVE-2022-22954 to launch the Dingo J-spy webshell into victims’ servers. These malicious webshells are harmful scripts that allow hackers to attack web servers and further damage their environment.
After confirming the abuse of the two VMware critical flaws, CVE-2022-22954 and CVE-2022-22960, CISA promptly issued the emergency directive to mitigate the chance of future exploitation of hackers using these two flaws.
The security agency also requires all federal civilian agencies to comply and report on their investigations by May 24.
