August 1, 2024 at 09:18AM
Around 20,000 unpatched VMware ESXi servers, vulnerable to CVE-2024-37085 (CVSS 6.8), are accessible on the internet. It allows threat actors full access, with ransomware groups like Storm-0506 and Octo Tempest exploiting it. The flaw enables administrative control over hypervisors, risking file encryption, VM access, and lateral movement within networks. Urgent patching is advised.
From the meeting notes, it is evident that there is a critical security vulnerability (CVE-2024-37085) in VMware ESXi servers that allows threat actors to gain full access to vulnerable instances. This flaw, with a CVSS score of 6.8, presents a medium-severity authentication bypass and has been exploited by multiple threat actor groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, leading to ransomware attacks.
The exploit involves threat actors creating an ESX Admins group and adding themselves as members to gain full administrative privileges, potentially leading to the encryption of the hypervisor’s file system, data exfiltration, or lateral movement within the network. The observation of more than 20,000 internet-accessible vulnerable instances by The Shadowserver Foundation highlights the widespread risk.
VMware has released patches for this vulnerability, but the ongoing exploitation by multiple threat actors emphasizes the urgency for all organizations to apply these patches. Additionally, it is noted that some vulnerable instances may have workarounds applied to prevent exploitation, but it remains a critical concern.
The meeting notes also reference related security issues, such as the exploitation of VMware in recent MITRE hacks and Chinese spies exploiting VMware vCenter Server vulnerabilities since 2021. This information underscores the importance of strengthening the security posture related to VMware and related systems.
If you need further clarification or action points on this matter, please let me know.