“The Cybersecurity and Infrastructure Security Agency issued an emergency directive Wednesday requiring federal civilian agencies to patch vulnerable VMware products that could be chained together for full system control.
If agencies aren’t able to deploy necessary updates within five days by May 23 to the affected VMware services, they must take them off agency networks immediately until an update is possible, per the directive…
VMware itself called the vulnerabilities ‘critical,’ rating them 9.8 out of 10 in severity.
‘CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,’ the directive says. ‘This determination is based on the confirmed exploitation of [prior vulnerabilities] by threat actors in the wild, the likelihood of future exploitation of [the new vulnerabilities], the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.’…” Read the full article here.
Source: CISA directs civilian agencies to patch ‘critical’ VMware vulnerabilities – By Billy Mitchell, May 18, 2022. FedScoop.