VMware, ServiceNow, Acronis Vulnerabilities Exploited: 5 Things To Know

New disclosures Monday pointed to attacks exploiting vulnerabilities in the three vendors’ platforms.

New disclosures Monday revealed attacks exploiting vulnerabilities in widely used platforms from VMware, ServiceNow and Acronis.

The attacks have included exploits of two critical-severity vulnerabilities in ServiceNow’s Now Platform as well as a critical vulnerability affecting Acronis Cyber Infrastructure.

Meanwhile, an exploited VMware ESXi vulnerability has been rated as a medium-severity issue, though it has reportedly been leveraged in attacks by multiple ransomware operators.

What follows are five things to know about the cyberattacks exploiting vulnerabilities in VMware, ServiceNow and Acronis platforms.

VMware ESXi Vulnerability

In a post Monday, Microsoft disclosed that the flaw in VMware ESXi hypervisors has been “exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors.”

The vulnerability is tracked at CVE-2024-37085. It was fixed in connection with the release of ESXi 8.0 in late June, according to Broadcom, which owns VMware.

In an advisory, Broadcom said that the vulnerability — as well as two others, tracked at CVE-2024-37086 and CVE-2024-37087 — are considered “medium” severity issues.

The flaw “involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation,” Microsoft researchers wrote.

The attackers’ goal in exploiting the flaw has been to “elevate their privileges to full administrative access on the ESXi hypervisor,” the researchers wrote.

VMware ESXi Attacks

In the Microsoft post, researchers said the VMware ESXi vulnerability has been “utilized by ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest in numerous attacks.”

The attacks have included the deployment of Black Basta and Akira ransomware variants, the Microsoft researchers said.

In one attack “earlier this year,” researchers said that “an engineering firm in North America was affected by a Black Basta ransomware deployment by Storm-0506.”

“During this attack, the threat actor used the CVE-2024-37085 vulnerability to gain elevated privileges to the ESXi hypervisors within the organization,” the researchers wrote.

In a statement provided to CRN, Broadcom wrote that “we promptly fixed the issue in a software update to ESXi 8.x and published a security advisory that explained how to change settings in earlier versions of ESXi to mitigate the threat. Customers who have not yet updated ESXi or followed the published guidance are vulnerable to this authentication-bypass risk once a malicious actor has obtained unauthorized Active Directory privileges.”

ServiceNow Input Validation Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Monday that a pair of critical-severity ServiceNow vulnerabilities have seen exploitation in attacks.

CISA added the two flaws to its catalog of vulnerabilities known to have seen exploitation in the wild Monday.

The first vulnerability, tracked at CVE-2024-4879, is an “improper input validation” flaw. "This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform,” according to a page for the bug on the National Vulnerability Database website.

In response to an inquiry from CRN, ServiceNow said that it “learned of a vulnerability on the Now Platform impacting instances running on the Vancouver and Washington, D.C. family releases” on May 14. “That day, we deployed an update and have since issued a series of patches designed to address the issue,” the company said.

“Based on our investigation to date, we have not observed evidence that any malicious activity is related to instances that ServiceNow hosts,” the company said. “We have encouraged our self-hosted and ServiceNow-hosted customers to apply relevant patches if they have not already done so. We will also continue to work directly with customers who need assistance in applying those patches.”

ServiceNow Disallowed Inputs Flaw

A second critical-severity ServiceNow vulnerability was added by CISA to its catalog of exploited vulnerabilities Monday. The “incomplete list of disallowed inputs” flaw is tracked at CVE-2024-5217.

“This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform,” according to a page for the issue on the National Vulnerability Database website.

Acronis Cyber Infrastructure Flaw

CISA also added a critical-severity bug affecting Acronis Cyber Infrastructure (ACI), tracked at CVE-2023-45249, to its catalog of exploited vulnerabilities Monday. Multiple versions of ACI are impacted.

The insecure default password flaw in ACI can enable “remote command execution due to use of default passwords,” according to a page for the issue on the National Vulnerability Database website.

"Acronis identified the vulnerability nine months ago, and a security patch was released immediately,” the company said in a statement to CRN. “Customers running the older version of Acronis Cyber Infrastructure impacted by the vulnerability were promptly informed, provided a patch and recommended upgrading to the new version.”