US cybersecurity officials on Wednesday ordered all federal civilian agencies to fix flaws in widely used software that officials said foreign government-linked hackers are likely moving to exploit.
“These vulnerabilities pose an unacceptable risk to federal network security,” US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said in a statement.
The “emergency directive” from CISA gives agencies five days to either update the vulnerable software or remove it from their networks. The directive does not apply to the Pentagon computer networks, which are not under CISA’s jurisdiction.
The vulnerabilities are in a type of software made by VMware, a California-based technology giant whose products are widely used in the US government.
VMware on April 6 issued a fix for the software flaws, which could allow hackers to remotely access computer files and burrow further into a network. Within two days of the fix’s release, hackers had figured out a way to break into computers using the vulnerabilities, according to CISA. Then, on Wednesday, VMWare released software updates for newly discovered vulnerabilities that CISA has ordered agencies to address.
The agency did not identify the hackers or what systems they had targeted.
CISA officials use their emergency authority to compel agencies to address serious software flaws when time is of the essence and spies or criminals might pounce on them.
The agency has used the authority 10 times in the last three plus years, including in response to the so-called SolarWinds hacking campaign allegedly carried out by Russian operatives.
The SolarWinds incident went undetected by US officials for many months. It resulted in the breach of at least nine federal agencies, including those dealing with national security like the departments of Homeland Security and Justice.