CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Three Eight Bravo.

​​Original release date: May Eighteenth, twenty twenty two.

Last revised: May Nineteenth, twenty twenty two.

CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. 

VMware released updates for both vulnerabilities on April 6, 2022. Malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and began exploiting the vulnerabilities in unpatched devices.

Based on this activity, CISA expects cyber actors to quickly develop exploits for the new VMware vulnerabilities CVE 2022 dash 22972 and 22973. In response, CISA has released Emergency Directive 22 dash 03, which requires emergency action from Federal Civilian Executive Branch agencies to immediately implement updates or remove the affected software from their network. This directive and resources remediation actions can be found in the show notes.

CISA has received information, including indicators of compromise, about observed exploitation already underway at multiple large organizations from trusted third parties.

The alert documentation provides indicators of compromise and detection signatures for this malicious activity. Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with VMware products who did not immediately apply the updates to assume compromise and initiate threat hunting activities. Detection methods are provided in the alert documentation. If potential compromise is detected, administrators should apply the incident response procedures included in this alert.

Links to these resources, including alert documentation, indicators of compromise, mitigation actions, and remediation procedures are listed in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.