Known Exploited Vulnerability
7.2
HIGH CVSS 3.1
CVE-2024-37085
VMware ESXi Authentication Bypass Vulnerability - [Actively Exploited]
Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

INFO

Published Date :

June 25, 2024, 3:15 p.m.

Last Modified :

Dec. 20, 2024, 4:52 p.m.

Remotely Exploit :

Yes !
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505; https://nvd.nist.gov/vuln/detail/CVE-2024-37085

Affected Products

The following products are affected by CVE-2024-37085 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vmware esxi
2 Vmware cloud_foundation
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 MEDIUM [email protected]
CVSS 3.1 HIGH [email protected]
Solution
This information is provided by the 3rd party feeds.
  • Upgrade to VMware ESXi 8.0 Update 3 or later.
Public PoC/Exploit Available at Github

CVE-2024-37085 has a 6 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-37085.

URL Resource
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch Vendor Advisory
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-37085 is associated with the following CWEs:

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 1 year ago
0 stars 0 fork 0 watcher
Born at : Aug. 18, 2024, 5:48 p.m. This repo has been linked 2 different CVEs too.

CVE-2024-37085 unauthenticated shell upload to full administrator on domain-joined esxi hypervisors.

Updated: 1 year ago
0 stars 0 fork 0 watcher
Born at : Aug. 12, 2024, 5:44 p.m. This repo has been linked 2 different CVEs too.

CVE-2024-37085 VMware ESXi RCE Vulnerability

Python

Updated: 7 months, 3 weeks ago
11 stars 2 fork 2 watcher
Born at : Aug. 6, 2024, 6:23 p.m. This repo has been linked 1 different CVEs too.

Vulnerability Scanner for CVE-2024-37085 and Exploits ( For Educational Purpose only)

Python

Updated: 11 months, 3 weeks ago
2 stars 0 fork 0 watcher
Born at : Aug. 2, 2024, 1:31 p.m. This repo has been linked 1 different CVEs too.

A GitHub repo to store the blogs, tutorials, and research I read, along with a brief summary of what they were about.

JavaScript

Updated: 1 month, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : July 22, 2024, 7:52 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 1 year ago
0 stars 0 fork 0 watcher
Born at : July 14, 2020, 7:52 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-37085 vulnerability anywhere in the article.

  • Google Cloud
Beyond Convenience: Exposing the Risks of VMware vSphere Active Directory Integration

Written by: Stuart Carrera, Brian Meyer Executive Summary Broadcom's VMware vSphere product remains a popular choice for private cloud virtualization, underpinning critical infrastructure. Far from fa ... Read more

Published Date: Jul 23, 2025 (1 month ago)
  • Help Net Security
Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs

MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hyperv ... Read more

Published Date: Apr 23, 2025 (4 months ago)
  • Cyber Security News
VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code

VMware has issued a critical security advisory (VMSA-2025-0004) warning of active exploitation of three vulnerabilities in its ESXi, Workstation, and Fusion products. These flaws, CVE-2025-22224, CVE- ... Read more

Published Date: Mar 04, 2025 (5 months, 3 weeks ago)
  • Cybersecurity News
CVE-2025-0159 (CVSS 9.1): Critical IBM Storage Flaw Allows Authentication Bypass

IBM has issued a security bulletin disclosing two vulnerabilities affecting the graphical user interface (GUI) of several IBM Storage Virtualize products. These vulnerabilities, tracked as CVE-2025-01 ... Read more

Published Date: Mar 04, 2025 (5 months, 3 weeks ago)
  • The Register
Ransomware criminals love CISA's KEV list – and that's a bug, not a feature

Fresh research suggests attackers are actively monitoring databases of vulnerabilities that are known to be useful in carrying out ransomware attacks. GreyNoise's annual Mass Internet Exploitation Rep ... Read more

Published Date: Feb 28, 2025 (5 months, 3 weeks ago)
  • TheCyberThrone
Most Exploited Vulnerabilities in 2024 Top 20 Analysis

In 2024, the cybersecurity landscape saw a significant number of exploited vulnerabilities, highlighting the ongoing challenges organizations face in protecting their systems and data.Some key trends ... Read more

Published Date: Dec 22, 2024 (8 months ago)
  • Kaspersky
IT threat evolution in Q3 2024. Non-mobile statistics

IT threat evolution in Q3 2024 IT threat evolution in Q3 2024. Non-mobile statistics IT threat evolution in Q3 2024. Mobile statistics The statistics presented here are based on detection verdicts by ... Read more

Published Date: Nov 29, 2024 (8 months, 3 weeks ago)
  • TheCyberThrone
The CyberThrone Most Exploited Vulnerabilities Top 10 – October 2024

Welcome to TheCyberThrone most exploited vulnerabilities review. This review is for the month of October 2024CVE-2024-21762: Fortinet FortiOS: Out-of-bounds WriteCVSS 3.1 score : 9.8 CISA KEV : Y ... Read more

Published Date: Nov 01, 2024 (9 months, 3 weeks ago)
  • The Hacker News
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets ... Read more

Published Date: Oct 23, 2024 (10 months ago)
  • Cybersecurity News
Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS

The attack chain | Image: S-RMThe notorious Akira ransomware group continues to adapt and refine its methods, solidifying its position as one of the most significant threats in the cyber landscape. Ac ... Read more

Published Date: Oct 22, 2024 (10 months ago)
  • Cybersecurity News
PoC Exploit Released for Windows Hyper-V Zero-Day Vulnerability CVE-2024-38080

Security researcher Pwndorei published a detailed analysis alongside a proof-of-concept (PoC) exploit code for a patched zero-day vulnerability in Windows Hyper-V, tracked as CVE-2024-38080. This crit ... Read more

Published Date: Sep 17, 2024 (11 months, 1 week ago)
  • Cybersecurity News
BlackByte Ransomware Group Exploits VMware CVE-2024-37085 Flaw, Shifts Tactics

The BlackByte ransomware group has re-emerged with an unsettling surge in activity and a refined set of tactics, techniques, and procedures (TTPs) that pose a heightened risk to organizations. Cisco T ... Read more

Published Date: Aug 29, 2024 (11 months, 3 weeks ago)
  • Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
BlackByte Ransomware Exploits New VMware Flaw in VPN-Based Attacks

BlackByte ransomware group is leveraging a newly discovered VMware ESXi vulnerability and VPN access to launch a new wave of attacks. Cisco Talos reveals the group’s tactics, urging organizations to p ... Read more

Published Date: Aug 28, 2024 (11 months, 3 weeks ago)
  • Dark Reading
BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets

Source: mayam_studio via ShutterstockThreat actors using the infamous BlackByte ransomware strain have joined the rapidly growing number of cybercriminals targeting a recent authentication bypass vuln ... Read more

Published Date: Aug 28, 2024 (11 months, 3 weeks ago)
  • The Hacker News
BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerabl ... Read more

Published Date: Aug 28, 2024 (11 months, 4 weeks ago)
  • Help Net Security
BlackByte affiliates use new encryptor and new TTPs

BlackByte, the ransomware-as-a-service gang believed to be one of Conti’s splinter groups, has (once again) created a new iteration of its encryptor. “Talos observed some differences in the recent Bla ... Read more

Published Date: Aug 28, 2024 (11 months, 4 weeks ago)
  • Cybersecurity News
Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive

Microsoft continues to refine its Windows 11 experience with the introduction of significant updates to the Windows Sandbox application in the latest Windows 11 Canary Build 27686. Designed as a secur ... Read more

Published Date: Aug 16, 2024 (1 year ago)
  • Cybersecurity News
Golddigger and Gigabud Android Banking Trojans: Same Cybercriminal, New Tricks

Icons used by Gigabud malware | Image: CRILA recent investigation by Cyble Intelligence and Research Labs (CRIL) has unveiled a significant connection between two prominent Android banking trojans: Go ... Read more

Published Date: Aug 14, 2024 (1 year ago)
  • Cybersecurity News
Windows Smart App Control, SmartScreen Vulnerable to Exploits

Image: Elastic Security LabsCybersecurity specialists have discovered significant flaws in the protective mechanisms of Microsoft Windows—Smart App Control (SAC) and SmartScreen. The identified vulner ... Read more

Published Date: Aug 10, 2024 (1 year ago)
  • TheCyberThrone
TheCyberThrone Security Week In Review – August 03, 2024

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, August 03, 2024.MOVEit fixes High Severit ... Read more

Published Date: Aug 04, 2024 (1 year ago)

The following table lists the changes that have been made to the CVE-2024-37085 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Dec. 20, 2024

    Action Type Old Value New Value
    Changed CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Nov. 21, 2024

    Action Type Old Value New Value
    Added Reference https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
  • Modified Analysis by [email protected]

    Aug. 08, 2024

    Action Type Old Value New Value
    Removed CWE NIST NVD-CWE-Other
    Added CWE NIST CWE-287
    Changed CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Aug. 01, 2024

    Action Type Old Value New Value
    Added CWE CISA-ADP CWE-305
  • Initial Analysis by [email protected]

    Jul. 31, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 No Types Assigned https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch, Vendor Advisory
    Added CWE NIST NVD-CWE-Other
    Added CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 31, 2024

    Action Type Old Value New Value
    Added Date Added 2024-07-30
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
    Added Due Date 2024-08-20
    Added Vulnerability Name VMware ESXi Authentication Bypass Vulnerability
  • CVE Received by [email protected]

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Description VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
    Added Reference VMware https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 [No types assigned]
    Added CVSS V3.1 VMware AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.2
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact