CISA Urges Patching For Exploited VMware ESXi Vulnerability

The U.S. cybersecurity agency’s warning comes after a Microsoft report saying multiple ransomware operators have utilized the bug in attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about risks from a VMware ESXi vulnerability after Microsoft reported that multiple ransomware operators have utilized the bug in attacks.

In a post Tuesday, CISA said it “strongly urges” that organizations prioritize “timely” patching of the issue. The agency also added the flaw (tracked at CVE-2024-37085) to its catalog of vulnerabilities known to have seen exploitation in the wild Tuesday.

[Related: VMware, ServiceNow, Acronis Vulnerabilities Exploited: 5 Things To Know]

Microsoft disclosed Monday that the flaw in VMware ESXi hypervisors has been “exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.”

The vulnerability was fixed in connection with the release of ESXi 8.0 in late June, according to Broadcom, which owns VMware.

In an advisory, Broadcom said that the vulnerability — as well as two others, tracked at CVE-2024-37086 and CVE-2024-37087 — are considered “medium” severity issues.

The flaw “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft researchers wrote.

The attackers’ goal in exploiting the flaw has been to “elevate their privileges to full administrative access on the ESXi hypervisor,” the researchers wrote.

In the Microsoft post, researchers said the VMware ESXi vulnerability has been “utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks.”

The attacks have included the deployment of Black Basta and Akira ransomware variants, Microsoft researchers said.

In one attack “earlier this year,” researchers said that “an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506.”

“During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization,” the researchers wrote.

In a statement provided to CRN, Broadcom wrote that “we promptly fixed the issue in a software update to ESXi 8.x and published a security advisory that explained how to change settings in earlier versions of ESXi to mitigate the threat.”

“Customers who have not yet updated ESXi or followed the published guidance are vulnerable to this authentication-bypass risk once a malicious actor has obtained unauthorized Active Directory privileges,” Broadcom said in the statement.