The Information Highway

The Information Highway

Font size: +
2 minutes reading time (344 words)

VMware ESXi flaw exploited by ransomware group

Threat update

A VMware ESXi vulnerability, known as CVE-2024-37085, has been discovered and it is actively exploited by several ransomware groups. Review this Cybersecurity Threat Advisory to learn how to limit the impact of this flaw. 

Technical Detail and Additional Info

What is the threat?

CVE-2024-37085 is an Active Directory (AD) integration authentication bypass vulnerability that, when successfully exploited, gives an attacker full administrative access to the ESXi hypervisor by default without any further validation. It adds new users to the "ESX Admins" domain group. This group does not exist by default but becomes available once you gain higher privileges on the ESXi hypervisor, which then automatically grants full privileges to users added to it, leaving businesses exposed. 

Why is it noteworthy?

CVE-2024-37085 was discovered by multiple hacker groups and are using three different methods to exploit the flaw. The three different methods are:

  • Adding "ESX Admins" to the domain and adding a user to it
  • Renaming any group in the domain to "ESX Admins" and then adding a user either new or existing
  • ESXi hypervisor privilege refresh so that full admin privilege is not immediately removed in order for the threat actors to abuse it

What is the exposure or risk?

CVE-2024-37085 affects the following products and versions:

  • VMware ESXi 8.0
  • VMware ESXi 7.0
  • VMware Cloud Foundation 5.x
  • VMware Cloud Foundation 4.x


Upon gaining access, ransomware groups can steal sensitive data, move through victims' networks, and encrypt the ESXi hypervisor's file system, leading to disruption of business operations. 

What are the recommendations?

 LBT Technology Group recommends the following actions to limit the impact of CVE-2024-37085:

  • Apply available updates to the affected device at your earliest availability
  • Enforce password cyber hygiene by protecting highly privileged accounts with multifactor authentication (MFA) or isolate privileged accounts to prevent access
  • Ensure affected ESXi servers are not exposed to public internet

References

How company size affects the email threats targeti...
Fake IT support sites push malicious PowerShell sc...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023