The Cybersecurity and Infrastructure Security Agency has released an emergency directive asking federal civilian agencies to apply updates or remove certain VMware products from their networks to help mitigate potential vulnerabilities in such products.
CISA issued the directive after it found that a series of four vulnerabilities in several VMware products were being exploited by malicious cyber actors, the agency said Wednesday.
These impacted VMware products include VMware Workspace ONE Access, VMware Cloud Foundation, VMware Identity Manager, VMware vRealize Automation and vRealize Suite Lifecycle Manager.
According to the emergency directive, all federal civilian agencies should enumerate all instances of impacted VMware products on agency networks and deploy updates or remove them until updates are implemented by May 23.
By May 24, agencies should report the status of all instances outlined in the directive’s first required action.
“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly, a 2022 Wash100 Award winner.
“CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks,” added Easterly.