By Sean Lyngaas, CNN
U.S. cybersecurity officials on Wednesday ordered all federal civilian agencies to correct faults in widely used software that officials have said hackers tied to foreign governments are likely to exploit.
“These vulnerabilities pose an unacceptable security risk to the federal network,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said in a statement.
CISA’s “emergency directive” gives agencies five days to update the vulnerable software or remove it from their networks. The directive does not apply to Pentagon computer networks, which are not under the jurisdiction of CISA.
The vulnerabilities are in a type of software made by VMware, a California-based tech giant whose products are widely used by the US government.
On April 6, VMware released a patch for software vulnerabilities that could allow hackers to remotely access computer files and dig deeper into a network. Within two days of the patch’s release, hackers had found a way to break into computers using the vulnerabilities, according to CISA. Then, on Wednesday, VMWare released software updates for newly discovered vulnerabilities that CISA ordered agencies to fix.
The agency did not identify the hackers or the systems they targeted.
CISA officials use their emergency authority to compel agencies to fix serious software flaws when time is running out and spies or criminals might pounce on them.
The agency has used the authority 10 times in the past three years, including in response to the so-called SolarWinds Hack Campaign allegedly carried out by Russian agents.
The SolarWinds incident went undetected by US authorities for many months. This resulted in the breaching of at least nine federal agencies, including those dealing with national security like the Departments of Homeland Security and Justice.
™ & © 2022 Cable News Network, Inc., a WarnerMedia company. All rights reserved.