The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 22-03 (ED 22-03) Mitigate VMware Vulnerabilities, requiring federal civilian executive branch agencies running specific VMware products to apply VMware updates or remove the products from agency networks until the update can be applied.

Although ED 22-03 is only directed to federal agencies, CISA encourages public and private sector organizations to review it, along with our cybersecurity advisory, and take steps to mitigate these vulnerabilities before they can be exploited by malicious cyber actors. 

The emergency directive is in response to observed or expected active exploitation of a series of vulnerabilities in the following VMware products:

• VMware Workspace ONE Access (Access),
• VMware Identity Manager (vIDM),
• VMware vRealize Automation (vRA),
• VMware Cloud Foundation,
• vRealize Suite Lifecycle Manager (impacted VMware products).

Successful exploitation one of the four vulnerabilities permits attackers to execute remote code on a system without authentication and elevate privileges.

In addition to ED 22-03, CISA also published a cybersecurity advisory, Threat Actors Chaining VMware Vulnerabilities for Full System Control, with additional details on the exploitation, detection methods, incident response recommendations, and mitigation guidance.

VMware released updates for CVE-2022-22954 and CVE-2022-22960 on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices.

Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities in the same affected impacted VMware products.