Shadowserver researchers have reported that more than 20,000 internet-exposed VMware ESXi instances are vulnerable to the actively exploited flaw known as CVE-2024-37085. This authentication bypass vulnerability allows malicious actors with sufficient Active Directory permissions to gain full access to ESXi hosts configured for user management through Active Directory. Microsoft has issued a warning that multiple ransomware gangs are actively exploiting this vulnerability, which has a CVSS score of 6.8, to obtain administrative permissions on compromised systems.
The flaw enables attackers to re-create the default Active Directory group “ESXi Admins” after it has been deleted, thus allowing them to gain unauthorized access. Microsoft has confirmed that financially motivated groups such as Storm-0506, Storm-1175, and Octo Tempest have utilized this vulnerability to deploy ransomware in various attacks. Patches have been released for ESXi 8.0 and VMware Cloud Foundation 5.x; however, no updates are planned for older versions, including ESXi 7.0, leaving many systems at risk.
Shadowserver’s analysis revealed 20,275 vulnerable instances as of July 30, 2024, underscoring the severity of the situation. The report emphasizes that, despite the medium criticality rating by Broadcom, the vulnerability poses a serious threat due to its exploitation by ransomware actors. Users are advised to check for signs of compromise and to upgrade their systems to the latest versions to receive necessary security updates.
Researchers have also noted that some exposed instances may have been temporarily secured through workarounds, but these are not accounted for in the vulnerability assessment. Shadowserver’s remote version checks only indicate patch status, lacking detection capabilities for potential workarounds or conditions that could affect exploitability, such as domain-joined ESXi hypervisors. As the situation evolves, organizations are urged to remain vigilant and take proactive measures to protect their systems from these emerging threats.
Reference: