Skip to main content
close search
site logo
Dive Brief

Critical VMware vulnerabilities resurface after threat actors evade patches within 48 hours

Even with new patches available, CISA is concerned that threat actors will easily shake off the fixes once again.

Published May 19, 2022
Matt Kapko's headshot
Senior Reporter
A large hallway with supercomputers inside a server room data center.
luza studios via Getty Images

First published on

Cybersecurity Dive

Dive Brief:

  • VMware customers are under active threat from an adversary exploiting multiple vulnerabilities to remotely execute malicious code and perform root privilege escalation, the Cybersecurity and Infrastructure Security Agency (CISA) warned in an emergency directive Wednesday.
  • The full system control exploits resurfaced after malicious cyber actors, likely advanced persistent threat actors, successfully reverse engineered updates VMware released in early April to address multiple vulnerabilities. Threat actors outmaneuvered VMware’s previous patches and developed an exploit within 48 hours, according to CISA.
  • CISA directed all 101 federal civilian executive branch agencies to identify all instances of the affected VMware products and deploy a pair of patches the vendor released in a security advisory Wednesday or remove the instances from their networks. 

Dive Insight:

This is the latest in an ongoing security saga for VMware, a vendor threat actors have prodded frequently in the last year. 

VMware products are a common and recurring target for threat actors. Log4Shell vulnerabilities in VMware Horizon were exploited to create web shells in January 2022, less than a month after the vendor issued security updates following initial Log4j vulnerability disclosures. Days later, threat actors were installing Cobalt Strike implants in multiple VMware Horizon servers.

Recent security shortcomings, however, have left stakeholders questioning whether fixes will stick. CISA conveyed concerns over VMware’s latest patches, citing threat actors' previous ability to quickly circumvent the vendor’s prescribed fixes. 

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18,” CISA wrote in the emergency directive.

The vulnerabilities have the potential for severe damage, rating high on the common vulnerability scoring system, VMware found. The authentication bypass vulnerability, CVE-2022-2292, earned a 9.8 score while the local privilege escalation vulnerability, CVE-2022-22973, received a 7.8. 

Impacted products include VMware’s Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. The vendor also warned customers that VMware Identity Manager can authenticate and authorize access to other products, potentially extending the risk to NSX, vRealize Operations, vRealize Log Insight and vRealize Network Insight.

Malicious actors can exploit the vulnerabilities to obtain administrative access without the need to authenticate and escalate privileges to root with local access, according to VMware. “The ramifications of this vulnerability are serious,” VMware wrote in a corollary FAQ.

Organizations using affected VMware products that are accessible online should assume they’ve been compromised and initiate threat-hunting activities, according to CISA. Enterprises or government agencies that detect a potential compromise are advised to follow incident response guidance detailed in CISA’s cybersecurity advisory.

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell