InfoSecBulletin Cybersecurity for mankind
Microsoft’s threat intelligence team has reported that ransomware groups are exploiting a critical vulnerability in VMware’s ESXi hypervisors. This allows them to gain full administrative access to systems that are joined to a domain.
The flaw labeled CVE-2024-37085 with a severity score of 6.8 has been used by ransomware groups to spread data-extortion malware on business networks. This information comes from a recent warning issued by Redmond’s threat hunting teams.
184 Million Leaked Credentials Discovered in Open Database
Palo Alto Networks Warns of XSS Flaw: PoC Released
Pwn2Own Berlin reveals 29 critical vulns in major tech firms
High-Severity Flaw Hits Atlassian Jira Data Center
All major mobile networks go down across Spain
Researchers found 200 billion files exposed in cloud buckets
Bank server compromised using customer’s mobile, steal ₹11 crore
“InfoSecCon-2025″ held successfully promising cyber resilience
Intel PC, laptop and server processors affected for 6 years: Report
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
VMware, owned by Broadcom, released patches and workarounds last week. They warned that hackers could use them to gain unauthorized access and control over ESXi hosts. However, they did not mention any real cases of this happening.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
Patches were released for ESXi 8.0 and VMware Cloud Foundation 5.x. No patches are scheduled for ESXi 7.0 and VMware Cloud Foundation 4.x.
Microsoft has reported that cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have used the VMware ESXi vulnerability to spread ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
Microsoft documented a case where a North American engineering firm was hit by Black Basta ransomware. The attackers used CVE-2024-37085 vulnerability to gain higher access to the organization’s ESXi hypervisors.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, also known as ES, is a type of hypervisor that gets installed directly on servers and separates them into multiple virtual machines.
