CMS Hybrid Cloud Launches the 2025 Q2 CMS Enterprise Security Campaign

Summary

Starting May 5th, 2025, the CMS Hybrid Cloud Team will begin the Q2 2025 CMS Enterprise Security Campaign.

Any findings will be tracked via Jira tickets and assigned to the respective teams to remediate risks. The Q2 CMS Enterprise Security Campaign is targeting a list of five (5) Common Vulnerabilities and Exposures (CVEs) sourced from Cybersecurity & Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog.

On May 21st, 2025, new AWS Security Hub GuardRails will be added to all accounts to prevent reintroduction of certain findings back into the CMS environment.

Benefits

Resolving findings in customers' Jira tickets ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.

The CMS Enterprise Security Campaign will target and identify the following CVEs from CISA's KEV catalog:

Targeted Known Exploited Vulnerabilities (KEVs)

CVEs on KEV List	Plugin ID	Description	Severity
CVE-2025-24813	232528	Apache Tomcat 9.0.0.M1 < 9.0.99	Critical
CVE-2025-24813	232529	Apache Tomcat 10.1.0.M1 < 10.1.35	Critical
CVE-2025-22224	226452	VMware ESXi 7.0 / 8.0 Out-of-bounds Write (CVE-2025-22224)	Critical
CVE-2025-24813	233710	Amazon Linux 2 : tomcat (ALAS-2025-2812)	Critical
CVE-2025-24813	233297	Apache Tomcat Path Equivalence RCE (CVE-2025-24813)	Critical

Note: Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.

For all accounts, CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
- GuardRails / auto-remediations (Security Hub controls):
  - SNS.4 - SNS topic access policies should not allow public access.
  - S3.5 - S3 general purpose buckets should require requests to use SSL.
- CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
  - Teams will either need to resolve the finding or obtain an exemption.

Expected Actions

CMS customer teams with findings will receive a Jira ticket.
- If you would like to obtain an exemption, you will need to complete an attestation.
CMS customers should resolve all received Jira tickets as soon as possible.
- For help, please refer to the "Questions or Concerns" section below for instructions on how to submit a Hybrid Cloud Support Ticket.
Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.

Timeline

May 5th, 2025: CMS customers with findings will receive Jira tickets for the finding noted in the "Benefits" section above.
May 21st, 2025: CMS Hybrid Cloud will add new AWS Security Hub GuardRails to all accounts to protect CMS systems from reintroducing findings back into the environment.

Additional Information

Questions or Concerns

We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. For further help, please fill out a Hybrid Cloud Support ticket specifying Service as "Security Hub" and Request as "Security Hub Findings".

You are subscribed to receive email messages about CMS Cloud Operations, Changes, and Outages from the Centers for Medicare & Medicaid Services (CMS).

To update your subscription(s), preferences or to stop receiving messages from the CMS Cloud Operations, Changes, and Outages Updates- distribution list, please go to our Subscriber Preferences Page.

This email was sent to NPrm5pk4s@niepodam.pl using GovDelivery Communications Cloud 7500 Security Boulevard · Baltimore MD 21244