Cyber Security Alert From CISA – Threat Actors Exploiting Multiple VMware Flaws

These vulnerabilities, CVE-2022-22954 and CVE-2022-22960, affect certain versions of:

• VMware Workspace ONE Access
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation, and
• vRealize Suite Lifecycle Manager.

What Does This Mean for our Clients

Exploiting these vulnerabilities allows threat actors to trigger a server-side template injection that may result in remote code execution (RCE) or escalation of privileges to root. Based on the activity currently seen, CISA expects threat actors to quickly develop a way to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.

CISA’s Recommendations

• Immediately patch impacted VMware products to the latest version or remove impacted versions from organizational networks.
• For all businesses with affected VMware products that are accessible from the internet that have not applied updates immediately, assume compromise and initiate threat hunting activities using the detection methods provided in the CSA.
• If potential compromise is detected, apply the incident response recommendations included in the CSA.

Although LoughTec’s Security Operations Centre has not seen any indicators of compromise in our partner’s environments, we urge you to patch as soon as possible. We will continue to actively monitor the situation and are confident that our experienced MDR analysts and technology will continue to protect your business.

Contact Cyber Security Company LoughTec for a free no-obligation discussion on your business cyber security posture. Call +44 (0) 28 8225 2445 or email info@loughtec.com.