CVE-2024-37085
VMware ESXi Authentication Bypass Vulnerability - [Actively Exploited]
Description
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
INFO
Published Date :
June 25, 2024, 3:15 p.m.
Last Modified :
Dec. 20, 2024, 4:52 p.m.
Source :
[email protected]
Remotely Exploitable :
Yes !
Impact Score :
5.9
Exploitability Score :
1.2
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505; https://nvd.nist.gov/vuln/detail/CVE-2024-37085
Public PoC/Exploit Available at Github
CVE-2024-37085 has a 7 public PoC/Exploit
available at Github.
Go to the Public Exploits
tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-37085
.
URL | Resource |
---|---|
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 | Patch Vendor Advisory |
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 | Patch Vendor Advisory |
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
CVE-2024-37085 unauthenticated shell upload to full administrator on domain-joined esxi hypervisors.
CVE-2024-37085 VMware ESXi RCE Vulnerability
Python
Vulnerability Scanner for CVE-2024-37085 and Exploits ( For Educational Purpose only)
Python
A GitHub repo to store the blogs, tutorials, and research I read, along with a brief summary of what they were about.
None
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-37085
vulnerability anywhere in the article.
- Kaspersky
IT threat evolution in Q3 2024. Non-mobile statistics
IT threat evolution in Q3 2024 IT threat evolution in Q3 2024. Non-mobile statistics IT threat evolution in Q3 2024. Mobile statistics The statistics presented here are based on detection verdicts by ... Read more
- TheCyberThrone
The CyberThrone Most Exploited Vulnerabilities Top 10 – October 2024
Welcome to TheCyberThrone most exploited vulnerabilities review. This review is for the month of October 2024CVE-2024-21762: Fortinet FortiOS: Out-of-bounds WriteCVSS 3.1 score : 9.8 CISA KEV : Y ... Read more
- The Hacker News
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks
Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets ... Read more
- Cybersecurity News
Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS
The attack chain | Image: S-RMThe notorious Akira ransomware group continues to adapt and refine its methods, solidifying its position as one of the most significant threats in the cyber landscape. Ac ... Read more
- Cybersecurity News
PoC Exploit Released for Windows Hyper-V Zero-Day Vulnerability CVE-2024-38080
Security researcher Pwndorei published a detailed analysis alongside a proof-of-concept (PoC) exploit code for a patched zero-day vulnerability in Windows Hyper-V, tracked as CVE-2024-38080. This crit ... Read more
- Cybersecurity News
BlackByte Ransomware Group Exploits VMware CVE-2024-37085 Flaw, Shifts Tactics
The BlackByte ransomware group has re-emerged with an unsettling surge in activity and a refined set of tactics, techniques, and procedures (TTPs) that pose a heightened risk to organizations. Cisco T ... Read more
- Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
BlackByte Ransomware Exploits New VMware Flaw in VPN-Based Attacks
BlackByte ransomware group is leveraging a newly discovered VMware ESXi vulnerability and VPN access to launch a new wave of attacks. Cisco Talos reveals the group’s tactics, urging organizations to p ... Read more
- Dark Reading
BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Source: mayam_studio via ShutterstockThreat actors using the infamous BlackByte ransomware strain have joined the rapidly growing number of cybercriminals targeting a recent authentication bypass vuln ... Read more
- The Hacker News
BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave
The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerabl ... Read more
- Help Net Security
BlackByte affiliates use new encryptor and new TTPs
BlackByte, the ransomware-as-a-service gang believed to be one of Conti’s splinter groups, has (once again) created a new iteration of its encryptor. “Talos observed some differences in the recent Bla ... Read more
- Cybersecurity News
Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
Microsoft continues to refine its Windows 11 experience with the introduction of significant updates to the Windows Sandbox application in the latest Windows 11 Canary Build 27686. Designed as a secur ... Read more
- Cybersecurity News
Golddigger and Gigabud Android Banking Trojans: Same Cybercriminal, New Tricks
Icons used by Gigabud malware | Image: CRILA recent investigation by Cyble Intelligence and Research Labs (CRIL) has unveiled a significant connection between two prominent Android banking trojans: Go ... Read more
- Cybersecurity News
Windows Smart App Control, SmartScreen Vulnerable to Exploits
Image: Elastic Security LabsCybersecurity specialists have discovered significant flaws in the protective mechanisms of Microsoft Windows—Smart App Control (SAC) and SmartScreen. The identified vulner ... Read more
- TheCyberThrone
TheCyberThrone Security Week In Review – August 03, 2024
Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, August 03, 2024.MOVEit fixes High Severit ... Read more
- Cyber Security News
Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More
Stay up to date with cybersecurity news! Our Weekly Cybersecurity Newsletter provides a curated summary of the most important updates, trends, and insights from the cybersecurity world. Whether you’re ... Read more
- Help Net Security
Week in review: VMware ESXi zero-day exploited, SMS Stealer malware targeting Android users
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Why a strong patch management strategy is essential for reducing business risk In this Help Net Securi ... Read more
- TheCyberThrone
Bitdefender patches critical vulnerability -CVE-2024-6980
Bitdefender has released a patch for a critical vulnerability in its GravityZone Update Server. The vulnerability that could potentially allow attackers to perform server-side request forgery attacks ... Read more
- The Cyber Express
Weekly Vulnerability Report: Cyble Urges Fixes in ServiceNow, Outlook, Docker Engine
Cyble Research & Intelligence Labs (CRIL) researchers investigated 22 security vulnerabilities this week, plus industrial control system (ICS) vulnerabilities and dark web exploits, to help us arrive ... Read more
- TheCyberThrone
Apache OfBiz Vulnerability CVE-2024-32113 Exploited in wild
Security researchers have observed up ticking reconnaissance attempts for the CVE-2024-32113 vulnerability in Apache OFBiz. The vulnerability, described as a path traversal issue, poses significant ri ... Read more
- Cyber Security News
20,275 VMware ESXi Vulnerable Instances Exposed, Microsoft Warns of Massive Exploitation
Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited. According to the Shadowserver Foundation, th ... Read more
- TheCyberThrone
Google fixes critical vulnerability CVE-2024-6990 in Chrome
Google has released the latest security update for its Chrome browser, addressing several critical vulnerabilities.The latest advisory includes three significant security fixes, two classified as high ... Read more
- TheCyberThrone
CISA adds CVE-2024-37085 to its KEV catalog
The U.S. CISA added an authentication bypass VMware ESXi vulnerability, tracked as CVE-2024-37085 with a CVSS score of 6.8, to its Known Exploited Vulnerabilities (KEV) catalog.The flaw is an authenti ... Read more
- TheCyberThrone
MOVEit fixes High Severity Vulnerability -CVE-2024-6576
Progress Software has warned customers about a new high-severity vulnerability that could allow attackers to escalate privileges within the system.The vulnerability tracked as CVE-2024-6576 with a CVS ... Read more
- Help Net Security
VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to ... Read more
- The Hacker News
VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attac ... Read more
- Cyber Security News
Ransomware Gangs Exploiting VMware ESXi Auth Bypass Flaw for Mass Attacks
Microsoft researchers have found a critical vulnerability in VMware’s ESXi hypervisors. Ransomware operators are using this problem to attack systems. This vulnerability, CVE-2024-37085, allows threat ... Read more
- The Cyber Express
Ransomware Actors Exploit VMware ESXi Hypervisor Bug: Microsoft
Microsoft researchers have observed multiple ransomware operators exploiting a recently patched vulnerability in ESXi hypervisors to gain full administrative control over domain-joined ESXi servers. T ... Read more
- Ars Technica
Hackers exploit VMware vulnerability that gives them hypervisor admin
AUTHENTICATION NOT REQUIRED — Create new group called "ESX Admins" and ESXi automatically gives it admin rights. Getty Images Microsoft is urging users of VMware’s ESXi hypervisor to take immediate ... Read more
- TheCyberThrone
Apache Pinot fixes CVE-2024-39676
Apache Pinot has recently disclosed a serious security vulnerability that could allow unauthorized actors to access sensitive system information, potentially leading to data leaks and security breache ... Read more
- TheCyberThrone
Spring Cloud Dataflow Vulnerability -CVE-2024-37084
A critical vulnerability has been identified in Spring Cloud Data Flow, a popular microservices-based streaming and batch data processing platform used in Cloud Foundry and Kubernetes environments.Thi ... Read more
- TheCyberThrone
Docker fixes Critical Vulnerability -CVE-2024-41110
Docker has released an urgent security advisory that has fixes for a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins.The vulnerability ... Read more
- TheCyberThrone
SIEMENS Fixes Several Vulnerabilities in SICAM Products
Siemens has released critical security advisory for its SICAM products vulnerabilities that could lead to unauthorized access and data leaks. The affected products include the SICAM A8000 RTUs, SICAM ... Read more
- TheCyberThrone
Progress fixes Critical Vulnerability in Telerik -CVE-2024-6327
Progress Software’s has fixed two vulnerabilities in Telerik Reporting tools that could lead to full system compromise and allow attackers to remotely execute code or inject malicious objects into aff ... Read more
- TheCyberThrone
Microsoft SmartScreen bug exploited in an infostealer campaign
Researchers have uncovered an info stealer campaign targeting Microsoft Windows users. This campaign exploits a known vulnerability to bypass security measures and steal sensitive data.The vulnerabili ... Read more
- TheCyberThrone
Cisco fixes RCE Vulnerability in its Routers -CVE-2024-20416
Cisco has released a patch for a vulnerability in their RV340 and RV345 Dual WAN Gigabit VPN routers that could allow an authenticated attacker to remotely execute arbitrary code on affected devices.T ... Read more
- TheCyberThrone
Oracle Fixes Critical Weblogic Server Vulnerability -CVE-2024-21181
Oracle has released patch for a critical vulnerability WebLogic Server product, that could lead to a complete takeover of the server. is easily exploitable and does not require any authentication, mak ... Read more
The following table lists the changes that have been made to the
CVE-2024-37085
vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Dec. 20, 2024
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 21, 2024
Action Type Old Value New Value Added Reference https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 -
Modified Analysis by [email protected]
Aug. 08, 2024
Action Type Old Value New Value Removed CWE NIST NVD-CWE-Other Added CWE NIST CWE-287 Changed CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Aug. 01, 2024
Action Type Old Value New Value Added CWE CISA-ADP CWE-305 -
Initial Analysis by [email protected]
Jul. 31, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Changed Reference Type https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 No Types Assigned https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch, Vendor Advisory Added CWE NIST NVD-CWE-Other Added CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 31, 2024
Action Type Old Value New Value Added Date Added 2024-07-30 Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Added Due Date 2024-08-20 Added Vulnerability Name VMware ESXi Authentication Bypass Vulnerability -
CVE Received by [email protected]
Jun. 25, 2024
Action Type Old Value New Value Added Description VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. Added Reference VMware https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 [No types assigned] Added CVSS V3.1 VMware AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-37085
is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-37085
weaknesses.