Discover CVE-2024-37085, a VMware ESXi vulnerability targeted in ransomware campaigns, and learn how to fix it.
Type: | Authentication bypass |
Severity | High |
Wild Exploit: | Yes |
Platforms: | VMware ESXi |
Affects: | VMware ESXi 8.0 |
MITRE advisory | |
Remediation action | Update to latest patch |
CVE-2024-37085 is a critical authentication bypass vulnerability in VMware ESXi hypervisors that can allow attackers to gain full administrative access.
This vulnerability, particularly affecting ESXi systems integrated with Active Directory, has been actively targeted by ransomware operators, including groups like Storm-0506 and Octo Tempest.
If your organization uses VMware ESXi hypervisors and they are joined to an Active Directory domain, this vulnerability could potentially impact you.
Systems running VMware ESXi 8.0 are vulnerable unless updated to a patched version. No patch is available for ESXi 7.0, making these systems particularly vulnerable.
Yes, this vulnerability has been exploited by multiple ransomware groups as a post-compromise attack vector.
Microsoft researchers have observed techniques that involve adding a malicious group named “ESX Admins” to gain administrative privileges on ESXi hypervisors.
To mitigate the risk, it is recommended to update VMware ESXi 8.0 systems to the latest patch. For versions without a patch, follow Broadcom’s workaround that strengthens security settings. Additionally, ensure that your ESXi hypervisors are not exposed to the internet and consider Microsoft’s further recommendations for reducing exploitation risk.
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: