The U.S. Cybersecurity and Infrastructure Security Agency (CISA) an authentication bypass VMware ESXi vulnerability, tracked as CVE-2024-37085 (CVSS score of 6.8), to its .
This week, Microsoft warned that multiple ransomware gangs are exploiting the recently patched vulnerability CVE-2024-37085 (CVSS score of 6.8) in VMware ESXi flaw.
“Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.” Microsoft.
The flaw is an authentication bypass vulnerability in VMware ESXi.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD.” reads the published by the virtualization giant.
The company released patches for security vulnerabilities affecting ESXi 8.0 and VMware Cloud Foundation 5.x. However, no patches are planned for the older versions, ESXi 7.0 and VMware Cloud Foundation 4.x. Users of the unsupported versions are recommended to upgrade to newer versions to receive security updates and support.
Microsoft reported that multiple financially motivated groups like Storm-0506, Storm-1175, and Octo Tempest have already exploited this vulnerability to deploy ransomware.
“Microsoft security researchers identified a new post-compromise technique utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks.” continues Microsoft. “In several cases, the use of this technique has led to Akira and Black Basta ransomware deployments. “
According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by August 20, 2024.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)