VMware ESXi Authentication Bypass Vulnerability (CVE-2024-37085)

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi. It allows a malicious actor with sufficient Active Directory (AD) permissions to gain full administrative access to an ESXi host. This vulnerability occurs when an attacker re-creates or renames an AD group to match the default ESXi group name (“ESXi Admins”), enabling unauthorized access. The group name validation relies on the name rather than a secure identifier, making it exploitable.

This vulnerability has been actively exploited in ransomware attacks targeting VMware environments, where attackers gain control of ESXi hypervisors, encrypt hosted virtual machines, and exfiltrate dataโ€‹. VMware released fixes in ESXi 8.0 Update 3 and VMware Cloud Foundation 5.2 but will not patch older versions like ESXi 7.0. Affected systems should be updated promptly, and administrators should monitor AD configurations for unauthorized modifications to the โ€œESX Adminsโ€ group.

See more details on: