“These vulnerabilities pose an unacceptable risk to federal network security,” US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said in a statement.
The “emergency directive” from CISA gives agencies five days to either update the vulnerable software or remove it from their networks. The directive does not apply to the Pentagon computer networks, which are not under CISA’s jurisdiction.
The vulnerabilities are in a type of software made by VMware, a California-based technology giant whose products are widely used in the US government.
VMware on April 6 issued a fix for the software flaws, which could allow hackers to remotely access computer files and burrow further into a network. Within two days of the fix’s release, hackers had figured out a way to break into computers using the vulnerabilities, according to CISA. Then, on Wednesday, VMWare released software updates for newly discovered vulnerabilities that CISA has ordered agencies to address.
The agency did not identify the hackers or what systems they had targeted.
CISA officials use their emergency authority to compel agencies to address serious software flaws when time is of the essence and spies or criminals might pounce on them.
The SolarWinds incident went undetected by US officials for many months. It resulted in the breach of at least nine federal agencies, including those dealing with national security like the departments of Homeland Security and Justice.