CVE-2024-37085

Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

References

https://www.securityweek.com/blackbyte-ransomware-gang-believed-to-be-more-active-than-leak-site-suggests/

https://www.darkreading.com/cyberattacks-data-breaches/blackbyte-targets-esxi-bug-with-ransomeware-to-access-virtual-assets

https://thehackernews.com/2024/08/blackbyte-ransomware-exploits-vmware.html

https://securityaffairs.com/167695/malware/blackbyte-ransomware-vmware-esxi-flaw.html

https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/

https://securityaffairs.com/166432/hacking/vmware-esxi-cve-2024-37085-vulnerable-instances.html

https://www.cyberdaily.au/security/10896-ransomware-gangs-observed-exploiting-vmware-esxi-flaw-in-the-wild

https://www.bleepingcomputer.com/news/security/black-basta-ransomware-switches-to-more-evasive-custom-malware/

https://www.bleepingcomputer.com/news/microsoft/microsoft-ransomware-gangs-exploit-vmware-esxi-auth-bypass-in-attacks/

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3