• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Uncategorized > CISA Issues Rare Directive Regarding VMware Exploits

CISA Issues Rare Directive Regarding VMware Exploits

May 19, 2022 By Jonathan Slusar

In a directive posted on May 18, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) declared that all Federal Civilian Executive Branch agencies were required to perform actions on several VMware products:

  • VMware Workspace ONE Access (Access),
  • VMware Identity Manager (vIDM),
  • VMware vRealize Automation (vRA),
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

This directive was released due to attackers being able to successfully reverse engineer a security patch that had been provided by VMware on the impacted products, and the suspicion that attacking agents could successfully reverse engineer a security update released on May 18 for two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973). Potential exploits include the ability to escalate user privileges, execute code remotely within the network, and obtain access to administrative accounts or systems without needing to authenticate. It should be noted that both CVE-2022-22972 and CVE-2022-22973 carry a CVSSv3 rating of 7.8 (Important) or 9.8 (Critical).

CISA has recommended that first, impacted users enumerate all instances of the impacted software (listed above) that are deployed within a given network. Following enumeration of all installations, either install updates contained within VMware Security Advisory VMSA-2022-0014 or remove all installations until a secure, vetted update can be installed.

This is regarded as a notable occurrence due to the infrequency of urgent CISA directives being released. It is anticipated that an attacker who successfully exploits the listed VMware products could obtain sensitive information, compromise user systems, and obtain sustained access to organizations networks.

The RSM War Room will continue to monitor the ongoing situation and provide updates as necessary.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Jonathan Slusar

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.