July 29, 2024 By Sergiu Gatlan
Microsoft warned today that ransomware gangs are actively exploiting a VMware ESXi authentication bypass vulnerability in attacks.
Tracked as CVE-2024-37085, this medium-severity security flaw was discovered by Microsoft security researchers Edan Zwick, Danielle Kuznets Nohi, and Meitar Pinto and fixed with the release of ESXi 8.0 U3 on June 25.
The bug enables attackers to add a new user to an 'ESX Admins' group they create, a user that will automatically be assigned full administrative privileges on the ESXi hypervisor.
"A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD," Broadcom explains.
"Several ESXi advanced settings have default values that are not secure by default. The AD group "ESX Admins" is automatically given the VIM Admin role when an ESXi host is joined to an Active Directory domain."