A vulnerability in VMware ESXi hypervisors was found being exploited by several ransomware operators, including Akira and Black Basta, with an aim to obtain full administrative permissions via Active Directory (AD), according to Microsoft Threat Intelligence.
***
The vulnerability — CVE-2024-37085 — gives a domain group full administrative access to the ESXi hypervisor by default without proper validation. Microsoft reported the flaw to VMware, which has issued a patch.
Broadcom, which now owns VMware, pointed out in its advisory that “a malicious actor with sufficient AD permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group — ESXi Admins — by default after it was previously deleted from AD.”
“This is just the latest in a string of VMware vulnerabilities,” said Ashley Leonard, founder and CEO, Syxsense. “Microsoft notes that engagements impacting ESXi hypervisors have more than doubled in the last three years, and this specific vulnerability has led to the deployment of Black Basta and Akira ransomware in the wild, so I’d encourage enterprises hosting critical applications using ESXi VMs to take caution and patch immediately.”
Leonard said while this sounds easy enough in practice, security teams are overwhelmed by the increasing number of CVEs and patches needed to keep their organizations secure. While this flaw was designated as a medium-security, Leonard said that shouldn’t lull teams into a false sense of security.
“A medium-security flaw becomes critical when it is targeting you, so a sound patch management strategy is a must,” said Leonard.
