“These vulnerabilities pose an unacceptable security risk to the federal network,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said in a statement.
CISA’s “emergency directive” gives agencies five days to update the vulnerable software or remove it from their networks. The directive does not apply to Pentagon computer networks, which are not under the jurisdiction of CISA.
The vulnerabilities are in a type of software made by VMware, a California-based tech giant whose products are widely used by the US government.
On April 6, VMware released a patch for software vulnerabilities that could allow hackers to remotely access computer files and dig deeper into a network. Within two days of the patch’s release, hackers had found a way to break into computers using the vulnerabilities, according to CISA. Then, on Wednesday, VMWare released software updates for newly discovered vulnerabilities that CISA ordered agencies to fix.
The agency did not identify the hackers or the systems they targeted.
CISA officials use their emergency authority to compel agencies to patch serious software flaws when time is running out and spies or criminals might pounce on them.
The SolarWinds incident went undetected by US authorities for many months. This resulted in the breaching of at least nine federal agencies, including those dealing with national security like the Departments of Homeland Security and Justice.