Pierluigi Paganini
August 01, 2024
Researchers at the Shadowserver Foundation reported that approximately 20,000 VMware ESXi servers exposed online appear impacted by the exploited vulnerability CVE-2024-37085.
We have started sharing exposed VMware ESXi vulnerable to CVE-2024-37085 (authentication bypass). While rated only CVSS 6.8 by Broadcom, this vuln has been reported by Microsoft as exploited in the wild by ransomware operators.
— The Shadowserver Foundation (@Shadowserver) July 31, 2024
We see 20 275 instances vulnerable on 2024-07-30. pic.twitter.com/wTkqDSLQ38
Microsoft this week warned that multiple ransomware gangs are exploiting the recently patched vulnerability CVE-2024-37085 (CVSS score of 6.8) in VMware ESXi flaw.
“Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.” warned Microsoft.
The flaw is an authentication bypass vulnerability in VMware ESXi.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD.” reads the advisory published by the virtualization giant.
The company released patches for security vulnerabilities affecting ESXi 8.0 and VMware Cloud Foundation 5.x. However, no patches are planned for the older versions, ESXi 7.0 and VMware Cloud Foundation 4.x. Users of the unsupported versions are recommended to upgrade to newer versions to receive security updates and support.
Microsoft reported that multiple financially motivated groups like Storm-0506, Storm-1175, and Octo Tempest have already exploited this vulnerability to deploy ransomware.
“Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks.” continues Microsoft. “In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. “
Shadowserver researchers observed 20 275 instances vulnerable to CVE-2024-37085 on 2024-07-30.
“VMware ESXi CVE-2024-37085 authentication bypass vulnerability. While only rated MEDIUM criticality (CVSS 6.8) by Broadcom, we consider the vulnerability much more serious as it is being exploited in the wild by ransomware actors. If you receive an alert for your instance, please check for compromise and update. This is a version based scan.” reads the report published by Shadowserver. “We do not check for workarounds or whether the ESXi hypervisor is domain joined, a condition of exploitability. Any report should be viewed as potentially vulnerable and to be verified by the recipient. Tagged as cve-2024-37085. [tagging first added 2024-07-30]”
However, some of the exposed instances may have been temporary secured through workarounds.
“For clarity: these are potentially vulnerable as this is a remote version check only for patch status. We do not have detection of any workarounds in place nor do we check whether other pre-conditions of exploitability exist (domain-joined ESXi hypervisors).” states Shadowserver.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, VMware ESXi)
