On May 18, VMWare announced the availability of patches for two critical vulnerabilities that impact five software products: Workspace ONE Access, VMware Identity Manager, vRealize Automation, VMware Cloud Foundation, and vRealize Suite LifecycleManager. On the same day, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive for federal entities to mitigate the risks of CVE 2022-22972 and CVE 2022-22973. These two CVEs are authentication bypass and escalation vulnerabilities that can be leveraged to obtain admin privileges in the affected products. VMware has released patches fixing the issue, and while they also provided a temporary workaround, VMware highly recommends patching as soon as possible.
In April, two other VMware vulnerabilities (CVE 2022-22954 and CVE 2022-22960) had active exploits developed within 48 hours of the patches being released. CISA believes that exploits for the new vulnerabilities will be developed as quickly and is requiring federal entities to identify and remediate all affected assets. It is wise for private industry to take note of the urgency that federal agencies are applying to this issue to prioritize patching as well.