Researchers from Shadowserver have reported that over 20,000 VMware ESXi instances exposed to the internet are vulnerable to the CVE-2024-37085 flaw. This vulnerability, which has been actively exploited, is an authentication bypass issue in VMware ESXi hypervisors. The flaw allows attackers with sufficient Active Directory (AD) permissions to gain full administrative control over an ESXi host by re-creating deleted AD groups, such as the default ‘ESXi Admins.’
Microsoft has highlighted the severity of this vulnerability, noting that multiple ransomware gangs, including Storm-0506, Storm-1175, and Octo Tempest, are exploiting it to deploy ransomware. The flaw, while rated with a medium criticality (CVSS score of 6.8), is considered more dangerous due to its active exploitation in the wild. These ransomware operators use advanced post-compromise techniques to infect systems, leading to deployments of ransomware like Akira and Black Basta.
VMware has addressed the issue by releasing patches for newer versions, specifically ESXi 8.0 and VMware Cloud Foundation 5.x. However, no patches are available for older versions such as ESXi 7.0 and VMware Cloud Foundation 4.x. Users running these unsupported versions are advised to upgrade to receive necessary security updates and support, as the lack of patches leaves their systems vulnerable.
Shadowserver’s scan has found 20,275 instances potentially vulnerable to CVE-2024-37085, though some might have temporary workarounds. The researchers emphasize that their scan only checks for version status and does not verify if workarounds are in place or if other conditions for exploitability are met. Organizations are urged to check for compromises and apply updates promptly to mitigate the risks associated with this critical vulnerability.