NAVANEM
CVE-2024-37085⚡ exploited in the wild

VMware ESXi, Active Directory integration authentication bypass (ransomware abuse)

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESX Admins' by default) after it was deleted from AD.

Overview

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi affecting hosts configured to use Active Directory (AD) for user management. When an ESXi host is domain-joined, it automatically grants full administrative privileges to members of an AD group named 'ESX Admins' by default. The vulnerability allows attackers with sufficient AD permissions to create or rename a group to 'ESX Admins,' effectively granting themselves complete control over all ESXi hosts joined to that domain.

This vulnerability has been actively exploited by multiple ransomware operators including Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, and groups deploying Akira, Black Basta, and Babuk ransomware.

Technical Details

The vulnerability stems from ESXi's trust model when integrated with Active Directory. By default, ESXi hosts grant full administrative access to any user who is a member of an AD group named 'ESX Admins.' The critical flaw is that ESXi does not properly validate that this group continues to exist legitimately or that its membership is appropriately restricted.

The host caches the SID-name mapping and inherently trusts it. If the original 'ESX Admins' group is deleted from AD, an attacker with rights to create groups can recreate the group with themselves as a member. ESXi will then grant that attacker full administrative privileges.

The attack chain observed in the wild follows this pattern:

  1. Gain initial foothold in the target's Active Directory environment
  2. Create or rename an AD group to 'ESX Admins' with attacker-controlled membership
  3. Authenticate to ESXi hosts as a full administrator
  4. Deploy ransomware directly to the hypervisor, encrypting VM disk files (.vmdk)

Impact

Successful exploitation grants attackers complete administrative control over ESXi hosts. This is particularly devastating because:

  • Encrypting VMs at the hypervisor level affects the entire virtualized infrastructure simultaneously
  • Recovery is significantly more difficult than traditional per-VM ransomware attacks
  • Attackers can disable security tools running within guest VMs
  • All virtual machines on affected hosts become inaccessible

Mitigation

  1. Patch immediately: Upgrade to ESXi 8.0 Update 3 or later. ESXi 7.0 has received a hotfix.
  2. Apply workaround on unpatched hosts: Change the default admin group name via Advanced Settings → Config.HostAgent.plugins.hostsvc.esxAdminsGroup to a non-default, unique name.
  3. Audit Active Directory: Review for any 'ESX Admins' group and verify membership matches authorized administrators only.
  4. Restrict AD group creation: Limit permissions for creating or renaming groups in Active Directory.

Detection

  1. Monitor Active Directory for creation or modification of groups named 'ESX Admins'
  2. Audit ESXi host SSH and SSO login events for anomalous administrative sessions
  3. Review ESXi logs for unexpected authentication from new admin accounts
  4. Alert on unusual NFS share mounting activity on ESXi hosts