Companies should immediately patch or remove VMware products affected by newly disclosed critical flaws, warns the US Cybersecurity and Infrastructure Security Agency (CISA).
The drastic measure of removing the products if they can’t be patched is based on past exploitation of critical VMware flaws within 48 hours of disclosure, according to CISA.
VMware on Wednesday 18 May disclosed multiple security flaws in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
The vulnerabilities are being tracked as CVE-2022-22972 and CVE-2022-22973, which are respectively an authentication bypass with a severity score of 9.8 out of 10, and a local privilege escalation vulnerability with a score of 7.8.
An attacker with network access to the management user interface could access it without the need for a password, VMware warns in an advisory.
Patches are available and VMware is urging customers to apply them or mitigate the issues immediately, warning in a separate blogpost that the “ramifications of this vulnerability are serious”.
CISA has told US federal