InfoSecBulletin Cybersecurity for mankind
Microsoft’s threat intelligence team has reported that ransomware groups are exploiting a critical vulnerability in VMware’s ESXi hypervisors. This allows them to gain full administrative access to systems that are joined to a domain.
The flaw labeled CVE-2024-37085 with a severity score of 6.8 has been used by ransomware groups to spread data-extortion malware on business networks. This information comes from a recent warning issued by Redmond’s threat hunting teams.
CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access
Australian fintech database exposed in 27000 records
Over 200 Million Info Leaked Online Allegedly Belonging to X
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
VMware, owned by Broadcom, released patches and workarounds last week. They warned that hackers could use them to gain unauthorized access and control over ESXi hosts. However, they did not mention any real cases of this happening.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
Patches were released for ESXi 8.0 and VMware Cloud Foundation 5.x. No patches are scheduled for ESXi 7.0 and VMware Cloud Foundation 4.x.
Microsoft has reported that cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have used the VMware ESXi vulnerability to spread ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
Microsoft documented a case where a North American engineering firm was hit by Black Basta ransomware. The attackers used CVE-2024-37085 vulnerability to gain higher access to the organization’s ESXi hypervisors.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, also known as ES, is a type of hypervisor that gets installed directly on servers and separates them into multiple virtual machines.
