ALERT: Threat Actors Exploiting VMware ESXi Vulnerability

Threat actors are actively exploiting a vulnerability in VMWare ESXi hypervisors that are joined to a domain. This exploit allows an attacker to add a user with full admin privileges on a domain-joined ESXi hypervisor. It is being actively exploited in ransomware and other attacks.

A vulnerability in domain-joined ESXi hypervisors can allow a threat actor with access to the domain to gain full administrative control. Hypervisors are hosts for virtual machines which often include servers and other critical systems. Once the threat actor gains access to them, they can install ransomware, encrypting all systems on compromised hypervisors.

This threat is being actively exploited.

Update hypervisors to ESXi 8.0 U3 or newer if possible. If you are unable to update, implement the vendor workaround in Secure Default Settings for ESXi Active Directory integration (Broadcom knowledgebase). It is also recommended to detach ESXi hosts from Active Directory.

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Threat actors can use three methods to exploit a vulnerability and gain administrative access to ESXi hypervisors that are joined to a domain.

• If the “ESX Admins” group doesn’t exist, any domain user with the ability to create a group can escalate privileges to full administrative access to domain-joined ESXi hypervisors by creating such a group, and then adding themselves, or other users to it. This method is being actively exploited.
• Renaming any group in the domain to “ESX Admins” and adding a user to the group or adding or using an existing member in that group. This method has not been seen to be actively exploited yet.
• ESXi hypervisor privileges refresh – Even if the network administrator assigns any other group in the domain to be the management group for the ESXi hypervisor, the full administrative privileges to members of the “ESX Admins” group are not immediately removed and threat actors still could abuse it. This method was not observed in the wild by Microsoft.

Please contact ITS Information Assurance through the ITS Service Center.

• Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption (Microsoft, 7-29-2024)
• VMSA-2024-0013:VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087) (Broadcom, 7-25-2024)
• Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks (Bleeping Computer, 7-29-2024)
• VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085) (Help Net Security, 7-30-2024)
• Secure Default Settings for ESXi Active Directory integration (Broadcom knowledgebase, July 2024)