VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware

by do son · July 31, 2024

A vulnerability in VMware’s ESXi virtualization platform continues to leave thousands of servers exposed to ransomware attacks, despite active exploitation by cybercriminals and warnings from major security organizations.

Researchers from the Shadowserver Foundation have identified a staggering 20,275 ESXi instances vulnerable to CVE-2024-37085, a medium-severity authentication bypass flaw. This vulnerability enables malicious actors to seize full administrative control of affected systems, paving the way for devastating ransomware attacks and extensive data theft.

While successful exploitation of CVE-2024-37085 requires elevated privileges on the target device and user interaction, Microsoft has sounded the alarm about multiple ransomware gangs actively leveraging this flaw to escalate their attacks and gain full administrative control of domain-joined hypervisors. Once compromised, these virtualized environments become fertile ground for stealing sensitive data, infiltrating networks, and encrypting critical files, often resulting in extortion demands.

The ubiquity of VMware ESXi in enterprise data centers amplifies the potential fallout from this vulnerability. A successful breach can jeopardize the operations of entire organizations and compromise the security of numerous virtual machines (VMs) hosted on the affected hypervisor.

Broadcom has released a patch for CVE-2024-37085, and organizations are strongly urged to apply it immediately. For environments where patching is not immediately feasible, VMware has published mitigation steps that involve disabling local user accounts and adjusting Active Directory permissions.

The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a directive mandating that U.S. Federal Civilian Executive Branch (FCEB) agencies address this vulnerability with urgency due to the ongoing ransomware attacks exploiting this flaw.

The Shadowserver Foundation’s research has revealed a staggering number of potentially vulnerable instances worldwide, with the highest numbers found in France (3,000), the United States (2,279), and Germany (2,022). The organization’s findings underscore the urgent need for affected entities to secure their systems promptly.

“For clarity: these are potentially vulnerable as this is a remote version check only for patch status. We do not have detection of any workarounds in place nor do we check whether other pre-conditions of exploitability exist (domain-joined ESXi hypervisors),” Shadowserver Foundation clarified in their disclosure.

Organizations that rely on VMware ESXi must prioritize patching this vulnerability and implementing robust security measures to protect their virtualized environments from the growing threat of ransomware attacks.