Roughly 20,000 VMware ESXi servers that are apparently unpatched against an exploited vulnerability are accessible from the internet, data from The Shadowserver Foundation shows.
The flaw, tracked as CVE-2024-37085 (CVSS score of 6.8) is a medium-severity authentication bypass that allows threat actors to gain full access to a vulnerable ESXi instance.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESX Admins’ by default) after it was deleted from AD,” VMware notes in its advisory.
The company announced patches for the vulnerability on July 24 and less than a week later Microsoft revealed that multiple ransomware groups had been exploiting it in attacks.
Threat actors such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, Microsoft said, exploited the vulnerability in multiple attacks, in some cases deploying ransomware such as Akira and Black Basta.
As part of the observed attacks, the threat actors created an ESX Admins group and added themselves as members of the group to gain full administrative privileges to all VMware ESXi hypervisors that joined the group.
“Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network,” Microsoft says.
On Wednesday, The Shadowserver Foundation announced that it added CVE-2024-37085 to its list of tracked CVEs and that it observed more than 20,000 internet-accessible instances vulnerable on July 30. There appear to be no significant changes in the statistics as of July 31.
Shadowserver assumes these instances are vulnerable based on their ESXi version, but noted that some may have workarounds applied to prevent exploitation.
Although CVE-2024-37085 is a medium-severity bug, its ongoing exploitation by multiple threat actors makes applying the available patches an urgent matter for all organizations.
Related: VMware Patches Critical SQL-Injection Flaw in Aria Automation
Related: VMware Abused in Recent MITRE Hack for Persistence, Evasion
Related: Chinese Spies Exploited VMware vCenter Server Vulnerability Since 2021
Related: Checkmk Vulnerabilities Can Be Chained for Remote Code Execution