Get a demo

Voyager18 (research)

How to fix CVE-2024-37085 in VMware ESXi

Discover CVE-2024-37085, a VMware ESXi vulnerability targeted in ransomware campaigns, and learn how to fix it.

Orani Amroussi | September 8, 2024

In recent months, CVE-2024-37085, a critical authentication bypass vulnerability in VMware ESXi, has become a key target in ransomware campaigns. Attackers are exploiting this flaw to gain administrative access to ESXi systems, especially those connected to Active Directory domains.

If your organization uses VMware ESXi, understanding the risk and taking immediate action to patch or secure your systems is crucial to prevent potential exploitation. In this blog, we’ll cover what CVE-2024-37085 is, who it affects, and how to protect your systems.

TL;DR

Type: 

 Authentication bypass

Severity 

 High

Wild Exploit: 

 Yes

Platforms: 

VMware ESXi

Affects: 

 VMware ESXi 8.0
 VMware ESXi 7.0

MITRE advisory 

 Read more

Remediation action 

Update to latest patch 

What is CVE-2024-37085?

CVE-2024-37085 is a critical authentication bypass vulnerability in VMware ESXi hypervisors that can allow attackers to gain full administrative access.

This vulnerability, particularly affecting ESXi systems integrated with Active Directory, has been actively targeted by ransomware operators, including groups like Storm-0506 and Octo Tempest.

 

Does it affect me?

If your organization uses VMware ESXi hypervisors and they are joined to an Active Directory domain, this vulnerability could potentially impact you.

Systems running VMware ESXi 8.0 are vulnerable unless updated to a patched version. No patch is available for ESXi 7.0, making these systems particularly vulnerable.

 

Has CVE-2024-37085 been actively exploited in the wild?

Yes, this vulnerability has been exploited by multiple ransomware groups as a post-compromise attack vector.

Microsoft researchers have observed techniques that involve adding a malicious group named “ESX Admins” to gain administrative privileges on ESXi hypervisors.

 

How to fix CVE-2024-37085

To mitigate the risk, it is recommended to update VMware ESXi 8.0 systems to the latest patch. For versions without a patch, follow Broadcom’s workaround that strengthens security settings. Additionally, ensure that your ESXi hypervisors are not exposed to the internet and consider Microsoft’s further recommendations for reducing exploitation risk.

 

Further reading

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Q1 2024 Vulnerability Watch
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Vulnerability disclosure policy (and how to get it right)
  5. How to properly tackle zero-day threats

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management