VMware ESXi Authentication Bypass Vulnerability

CVE-2024-37085
7.2HIGH

Key Information

Vendor
VMware
Status
Vmware Esxi
Vmware Cloud Foundation
Vendor
CVE Published:
25 June 2024

Badges

🔥 No. 1 Trending😄 Trended👾 Exploit Exists🔴 Public PoC📰 News Worthy

Summary

The VMware ESXi Authentication Bypass Vulnerability, tracked with CVE-2024-37085, allows malicious actors with sufficient Active Directory permissions to gain full access to ESXi hypervisors by re-creating the configured AD group 'ESXi Admins' after it was deleted from AD. Exploitation has been observed in the wild and has been followed by the deployment of ransomware, specifically Akira and Black Basta. The vulnerability is being actively exploited by several ransomware groups. Ransomware operators have been observed leveraging this vulnerability to deploy file-encrypting malware, gaining elevated permissions to ESXi hypervisors, and carrying out further malicious activities. The potential impact of exploitation includes the encryption of the file system of the hypervisor, data exfiltration, and lateral movement within the network. VMware has released patches to address the vulnerability, and organizations are advised to apply the updates promptly to mitigate the risk.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-37085 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

VMware ESXi < 8.0

VMware ESXi = 7.0

VMware Cloud Foundation = 5.x

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-37085-RCE-POC
Created by Florian-Hoth

News Articles

favicon image

BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets

The pivot is one of several changes the groups using the malware have used in recent attacks.

3 months ago

favicon imageSecurity Affairs

+20,000 internet-exposed VMware ESXi instances vulnerable to CVE-2024-37085

Researchers reported that over 20,000 internet-exposed VMware ESXi instances are affected by the actively exploited CVE-2024-37085.

4 months ago

favicon imageTechRepublic

Microsoft Says VMware ESXi Flaw is Being Exploited By Ransomware Groups

The CVE-2024-37085 vulnerability is present in VMware ESXi hypervisors and has been used to deploy ransomware, according to Microsoft.

4 months ago

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🔥

    Vulnerability reached the number 1 worldwide trending spot.

  • 👾

    Exploit exists.

  • Vulnerability started trending.

  • First article discovered by CybersecurityNews

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre DatabaseCISA Database1 Proof of Concept(s)19 News Article(s)
.