Home > Security Bulletins > VMware ESXi Active Directory Integration Authentication Bypass (Moderate)

VMware ESXi Active Directory Integration Authentication Bypass (Moderate)

VMware ESXi Active Directory Integration Authentication Bypass (Moderate)

Tuesday July 30, 2024

VMware ESXi contains an authentication bypass vulnerability, CVE-2024-37085, that has been actively exploited as a zero-day by several ransomware operators. When exploited, the attackers gain full administrative permissions on Active Directory (AD) domain-joined ESXi hypervisors, allowing them to mass encrypt entire file systems. The vulnerability has a CVSS base score of 6.8. The advisory can be read on Broadcom‘s site.

 

Impacted products

  • VMware ESXi
  • VMware vCenter Server
  • VMware Cloud Foundation

 

Remediation

Update to the fixed version as soon as possible, for ESXi this is version 8.0 Update 3, which can be found here, for VMware Cloud Foundation the fixed version is 5.2, found here.

For more guidelines on how to protect your network from attacks in addition to applying the security updates by VMware, we refer to Microsoft’s post (under “Mitigation and protection guidance”).

 

Customers with Defender for Endpoint and/or Defender for Identity should be on the lookout for these alerts that may indicate threat activity associated with this vulnerability:

  • Suspicious modifications to ESX Admins group
  • New group added suspiciously
  • Suspicious Windows account manipulation
  • Compromised account conducting hands-on-keyboard attack
  • Suspicious creation of ESX group

 

Workaround

KB369707 lists in-product workarounds for this CVE.

 

Resources

A detailed post by Microsoft was published on July 29 and presents an analysis of the CVE, details of an observed attack, and further mitigation and protection guidance: https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

Broadcom’s advisory: https://knowledge.broadcom.com/external/article?legacyId=1025569

NIST Vulnerability Database entry: https://nvd.nist.gov/vuln/detail/CVE-2024-37085

AttackerKB article: https://attackerkb.com/topics/2llWJbMF0o/cve-2024-37085