Russian State-Sponsored Actors Exploiting Vulnerability in VMware Workspace

Summary

The National Security Agency (NSA) released a Cybersecurity Advisory on Russian state-sponsored actors exploiting CVE-2020-4006, a command-injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The actors were found exploiting this vulnerability to access protected data on affected systems.

Password-based access to the web-based management interface of the device is required to exploit the vulnerability, so using a strong and unique password lowers the risk of exploitation. The risk is lowered further if the web-based management interface is not accessible from Internet.

While the NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers, the NJCCIC recommends all members review this Cybersecurity Advisory and the VMware Security Advisory for information on the vulnerability, affected products, updates, and available workaround.

Reporting

We encourage recipients who discover signs of malicious cyber activity to contact us via the cyber incident report form here.