Cybersecurity alert

CISA Releases Emergency Directive Amid Discovery of Vulnerabilities in VMware Products

The Cybersecurity and Infrastructure Security Agency announced that federal agencies have a May 23 deadline to resolve vulnerability issues in five products from cloud computing company VMware that could allow attackers to have deep access without the need to authenticate. The agency said in an emergency directive that the discovered vulnerabilities put federal networks and systems at immediate risk, Federal News Network reported Wednesday.

In its directive, CISA warned that the discovered vulnerabilities pose an unacceptable risk to federal civilian executive branch agencies and require emergency action. Specifically, the agency said that the vulnerabilities exist in VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

CISA Director Jen Easterly said the emergency directive was issued to ensure that federal civilian agencies “take urgent action to protect their networks.” She urged all agencies to immediately take the recommended steps to ensure the security of their networks.

CISA’s directive calls on agencies to remove affected VMware products from their networks until the issues have been patched up. It also directs information security officers to report any anomalies they have identified.

In April, VMware discovered vulnerabilities in its products and released the necessary remedies to customers. However, CISA emphasized that the vulnerabilities it is currently worried about are new, only revealed by VMware on May 18. The agency added that it “expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities.”

The latest emergency directive is the tenth issued by CISA since January 2019.