Security News > 2024 > July > CISA warns of VMware ESXi bug exploited in ransomware attacks
CISA has ordered U.S. Federal Civilian Executive Branch agencies to secure their servers against a VMware ESXi authentication bypass vulnerability exploited in ransomware attacks.
Broadcom subsidiary VMware fixed this flaw discovered by Microsoft security researchers on June 25 with the release of ESXi 8.0 U3. CVE-2024-37085 allows attackers to add a new user to the 'ESX Admins' group-not present by default but can be added after gaining high privileges on the ESXi hypervisor-which will automatically be assigned full administrative privileges.
CVE-2024-37085 has been exploited by ransomware operators tracked as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest to deploy Akira and Black Basta ransomware.
Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks.
New Play ransomware Linux version targets VMware ESXi VMs. SEXi ransomware rebrands to APT INC, continues VMware ESXi attacks.
Linux version of RansomHub ransomware targets VMware ESXi VMs. CISA warns of Windows bug exploited in ransomware attacks.
News URL
Related news
- Ransomware on ESXi: The mechanization of virtualized attacks (source)
- Ransomware gang uses SSH tunnels for stealthy VMware ESXi access (source)
- French govt contractor Atos denies Space Bears ransomware attack claims (source)
- CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing (source)
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- Casio says data of 8,500 people exposed in October ransomware attack (source)
- Preventing the next ransomware attack with help from AI (source)
- CISA orders agencies to patch BeyondTrust bug exploited in attacks (source)
- OneBlood confirms personal data stolen in July ransomware attack (source)
- CISA Adds Second BeyondTrust Flaw to KEV Catalog Amid Active Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-25 | CVE-2024-37085 | Improper Authentication vulnerability in VMWare Cloud Foundation and Esxi VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | 7.2 |