CISA issues emergency Directive regarding chaining of VMware Vulnerabilities allowing full system takeover

CISA has issued an advisory regarding malicious cyber actors, likely of Advanced Persistent Threat nature, that are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.

The vulnerabilities are present in VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Exploiting these vulnerabilities allows malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).

VMware released updates for both vulnerabilities on April 6, 2022, however it seems that malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices.

CISA suggests that organizations with affected VMware products that are accessible from the internet, that did not immediately apply update, should assume compromise and initiate threat hunting activities to identify on malicious activities.

CISA has provided IOCs and detection signatures to help administrators with detecting compromise and responding to an attack.
CISA Emergency Directive for VMware vulnerabilities
CISA Cybersecurity Advisory (CSA)