How to fix CVE-2024-37085 in VMware ESXi

TL;DR

What is CVE-2024-37085?

CVE-2024-37085 is a critical authentication bypass vulnerability in VMware ESXi hypervisors that can allow attackers to gain full administrative access.

This vulnerability, particularly affecting ESXi systems integrated with Active Directory, has been actively targeted by ransomware operators, including groups like Storm-0506 and Octo Tempest.

Does it affect me?

If your organization uses VMware ESXi hypervisors and they are joined to an Active Directory domain, this vulnerability could potentially impact you.

Systems running VMware ESXi 8.0 are vulnerable unless updated to a patched version. No patch is available for ESXi 7.0, making these systems particularly vulnerable.

Has CVE-2024-37085 been actively exploited in the wild?

Yes, this vulnerability has been exploited by multiple ransomware groups as a post-compromise attack vector.

Microsoft researchers have observed techniques that involve adding a malicious group named “ESX Admins” to gain administrative privileges on ESXi hypervisors.

How to fix CVE-2024-37085

To mitigate the risk, it is recommended to update VMware ESXi 8.0 systems to the latest patch. For versions without a patch, follow Broadcom’s workaround that strengthens security settings. Additionally, ensure that your ESXi hypervisors are not exposed to the internet and consider Microsoft’s further recommendations for reducing exploitation risk.

Further reading

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. Q1 2024 Vulnerability Watch
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Vulnerability disclosure policy (and how to get it right)
5. How to properly tackle zero-day threats