InfoSecBulletin Cybersecurity for mankind
Microsoft’s threat intelligence team has reported that ransomware groups are exploiting a critical vulnerability in VMware’s ESXi hypervisors. This allows them to gain full administrative access to systems that are joined to a domain.
The flaw labeled CVE-2024-37085 with a severity score of 6.8 has been used by ransomware groups to spread data-extortion malware on business networks. This information comes from a recent warning issued by Redmond’s threat hunting teams.
Hackers Exploits RCE flaw in Cisco Small Business Router
CISA Alerts For Active Exploited Zimbra and Microsoft flaw
200 Fake GitHub Repos Attacking Developers to Deliver Malware
Renew Dubai visa within minutes with AI-powered Salama
CVE-2024-20953
CISA Flags Oracle Agile PLM Actively Exploited Security Flaw
Stablecoin Bank Hacked – Hackers Stolen $49.5M
CVE-2025-20029
PoC Exploit Released for F5 BIG-IP Command Injection Vuln
By 1 April 2025
Australia Bans Kaspersky on its govt systems and devices
CISA Flags Craft CMS Code Injection Flaw Amid Active Attacks
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
VMware, owned by Broadcom, released patches and workarounds last week. They warned that hackers could use them to gain unauthorized access and control over ESXi hosts. However, they did not mention any real cases of this happening.
“VMware ESXi contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range,” VMware said.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” the company added.
Patches were released for ESXi 8.0 and VMware Cloud Foundation 5.x. No patches are scheduled for ESXi 7.0 and VMware Cloud Foundation 4.x.
Microsoft has reported that cybercriminal groups like Storm-0506, Storm-1175, and Octo Tempest have used the VMware ESXi vulnerability to spread ransomware.
“The number of Microsoft Incident Response (Microsoft IR) engagements that involved the targeting and impacting ESXi hypervisors have more than doubled in the last three years,” Microsoft said.
Microsoft documented a case where a North American engineering firm was hit by Black Basta ransomware. The attackers used CVE-2024-37085 vulnerability to gain higher access to the organization’s ESXi hypervisors.
“Microsoft observed that the threat actor created the ‘ESX Admins’ group in the domain and added a new user account to it…[This] attack resulted in encrypting of the ESXi file system and losing functionality of the hosted virtual machines on the ESXi hypervisor,” the company warned.
VMware ESXi, also known as ES, is a type of hypervisor that gets installed directly on servers and separates them into multiple virtual machines.
