Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) has issued two warnings in a single day to VMware users, as it believes the virtualization giant’s products can be exploited by miscreants to gain control of systems.

The agency rates this threat as sufficiently serious to demand US government agencies pull the plug on their VMware products if patches can’t be applied.

Of the two warnings, one highlights a critical authentication bypass vulnerability – CVE-2022-22972, rated 9.8 out of 10 on the CVSS scale – that VMware revealed on Wednesday.

The flaw impacts five products: Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, vRealize Suite Lifecycle Manager and VMware Cloud Foundation. We’re told “a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.”

The vulnerability in Cloud Foundation is terrifying, as that product is VMware’s tool for building and managing hybrid multi-cloud rigs running virtual machines and containers. That means an unauthorized user may be able to gain admin-level privileges and drive those resources on-prem, and potentially also on VMware-powered public clouds, of which there are over 4,000 run by VMware partners, plus partnerships with AWS, Microsoft, Google, Oracle, IBM Cloud, and Alibaba Cloud.

The impact on the other products is also significant, as Identity Manager and Workspace ONE Access control can grant access to apps and SaaS services through VMware’s application publishing tools, while vRealize has wide automation abilities that could touch on many aspects of hybrid cloud operations.

A second flaw, CVE-2022-22973, also revealed Wednesday allows attackers to become root in VMware Workspace ONE Access and VMware Identity Manager. The flaw is rated 7.8 out of 10.

The threat posed by the two security holes is so significant that CISA issued an emergency directive requiring US civilian government agencies to pull any internet-exposed implementations of Virtzilla’s vulnerable wares from production by May 23 as they should be considered compromised. US government agencies must also enumerate all use of the impacted products and patch them by the same deadline. If patching isn’t possible, CISA wants the products removed from agency networks whether they are internet-facing or not.

VMware is very widely used by US government agencies. If its products are turned off, considerable productivity and service disruption will likely follow.

CISA’s other warning to VMware users regards the flaws the IT giant revealed in early April 2022. The cybersecurity agency says attackers it feels are probably advanced persistent threat actors are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination to gain “full system control.” The flaws disclosed in April impact the same products as those hit by today’s disclosure.

A CISA incident response team is already working at a “large organization where the threat actors exploited CVE-2022-22954,” the agency’s advisory states. Indicators of exploitation and compromise have been spotted “at multiple other large organizations from trusted third parties.”

VMware’s FAQ about today’s disclosure asks, “Why is there a second VMSA for these software components?”

VMware’s answer states:

Yet as the CISA advice suggests, VMware customers are not getting ahead of these attacks. Instead, they’re on a patching treadmill. ®