Known Exploited Vulnerability
7.2
HIGH
CVE-2024-37085
VMware ESXi Authentication Bypass Vulnerability - [Actively Exploited]
Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

INFO

Published Date :

June 25, 2024, 3:15 p.m.

Last Modified :

Aug. 8, 2024, 2:48 p.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

1.2
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505

Public PoC/Exploit Available at Github

CVE-2024-37085 has a 7 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-37085 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vmware esxi
2 Vmware cloud_foundation
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-37085.

URL Resource
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

None

Updated: 2 months, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 18, 2024, 5:48 p.m. This repo has been linked 2 different CVEs too.

CVE-2024-37085 unauthenticated shell upload to full administrator on domain-joined esxi hypervisors.

Updated: 2 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 12, 2024, 5:44 p.m. This repo has been linked 2 different CVEs too.

CVE-2024-37085 VMware ESXi RCE Vulnerability

Python

Updated: 2 months ago
6 stars 1 fork 1 watcher
Born at : Aug. 6, 2024, 6:23 p.m. This repo has been linked 1 different CVEs too.

Vulnerability Scanner for CVE-2024-37085 and Exploits ( For Educational Purpose only)

Python

Updated: 2 months ago
2 stars 0 fork 0 watcher
Born at : Aug. 2, 2024, 1:31 p.m. This repo has been linked 1 different CVEs too.

A GitHub repo to store the blogs, tutorials, and research I read, along with a brief summary of what they were about.

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : July 22, 2024, 7:52 p.m. This repo has been linked 1 different CVEs too.

None

Updated: 2 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : July 14, 2020, 7:52 a.m. This repo has been linked 1 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 month, 4 weeks ago
6375 stars 1107 fork 1107 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 904 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-37085 vulnerability anywhere in the article.

  • TheCyberThrone
The CyberThrone Most Exploited Vulnerabilities Top 10 – October 2024

Welcome to TheCyberThrone most exploited vulnerabilities review. This review is for the month of October 2024CVE-2024-21762: Fortinet FortiOS: Out-of-bounds WriteCVSS 3.1 score : 9.8 CISA KEV : Y ... Read more

Published Date: Nov 01, 2024 (4 days, 2 hours ago)
  • The Hacker News
Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets ... Read more

Published Date: Oct 23, 2024 (1 week, 6 days ago)
  • Cybersecurity News
Akira Ransomware Exploit CVE-2024-40766 in SonicWall SonicOS

The attack chain | Image: S-RMThe notorious Akira ransomware group continues to adapt and refine its methods, solidifying its position as one of the most significant threats in the cyber landscape. Ac ... Read more

Published Date: Oct 22, 2024 (2 weeks ago)
  • Cybersecurity News
PoC Exploit Released for Windows Hyper-V Zero-Day Vulnerability CVE-2024-38080

Security researcher Pwndorei published a detailed analysis alongside a proof-of-concept (PoC) exploit code for a patched zero-day vulnerability in Windows Hyper-V, tracked as CVE-2024-38080. This crit ... Read more

Published Date: Sep 17, 2024 (1 month, 2 weeks ago)
  • Cybersecurity News
BlackByte Ransomware Group Exploits VMware CVE-2024-37085 Flaw, Shifts Tactics

The BlackByte ransomware group has re-emerged with an unsettling surge in activity and a refined set of tactics, techniques, and procedures (TTPs) that pose a heightened risk to organizations. Cisco T ... Read more

Published Date: Aug 29, 2024 (2 months, 1 week ago)
  • Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
BlackByte Ransomware Exploits New VMware Flaw in VPN-Based Attacks

BlackByte ransomware group is leveraging a newly discovered VMware ESXi vulnerability and VPN access to launch a new wave of attacks. Cisco Talos reveals the group’s tactics, urging organizations to p ... Read more

Published Date: Aug 28, 2024 (2 months, 1 week ago)
  • Dark Reading
BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets

Source: mayam_studio via ShutterstockThreat actors using the infamous BlackByte ransomware strain have joined the rapidly growing number of cybercriminals targeting a recent authentication bypass vuln ... Read more

Published Date: Aug 28, 2024 (2 months, 1 week ago)
  • The Hacker News
BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerabl ... Read more

Published Date: Aug 28, 2024 (2 months, 1 week ago)
  • Help Net Security
BlackByte affiliates use new encryptor and new TTPs

BlackByte, the ransomware-as-a-service gang believed to be one of Conti’s splinter groups, has (once again) created a new iteration of its encryptor. “Talos observed some differences in the recent Bla ... Read more

Published Date: Aug 28, 2024 (2 months, 1 week ago)
  • Cybersecurity News
Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive

Microsoft continues to refine its Windows 11 experience with the introduction of significant updates to the Windows Sandbox application in the latest Windows 11 Canary Build 27686. Designed as a secur ... Read more

Published Date: Aug 16, 2024 (2 months, 2 weeks ago)
  • Cybersecurity News
Golddigger and Gigabud Android Banking Trojans: Same Cybercriminal, New Tricks

Icons used by Gigabud malware | Image: CRILA recent investigation by Cyble Intelligence and Research Labs (CRIL) has unveiled a significant connection between two prominent Android banking trojans: Go ... Read more

Published Date: Aug 14, 2024 (2 months, 3 weeks ago)
  • Cybersecurity News
Windows Smart App Control, SmartScreen Vulnerable to Exploits

Image: Elastic Security LabsCybersecurity specialists have discovered significant flaws in the protective mechanisms of Microsoft Windows—Smart App Control (SAC) and SmartScreen. The identified vulner ... Read more

Published Date: Aug 10, 2024 (2 months, 3 weeks ago)
  • TheCyberThrone
TheCyberThrone Security Week In Review – August 03, 2024

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, August 03, 2024.MOVEit fixes High Severit ... Read more

Published Date: Aug 04, 2024 (3 months ago)
  • Cyber Security News
Weekly Cyber Security News Letter – Data Breaches, Vulnerability, Cyber Attack & More

Stay up to date with cybersecurity news! Our Weekly Cybersecurity Newsletter provides a curated summary of the most important updates, trends, and insights from the cybersecurity world. Whether you’re ... Read more

Published Date: Aug 04, 2024 (3 months ago)
  • Help Net Security
Week in review: VMware ESXi zero-day exploited, SMS Stealer malware targeting Android users

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Why a strong patch management strategy is essential for reducing business risk In this Help Net Securi ... Read more

Published Date: Aug 04, 2024 (3 months ago)
  • TheCyberThrone
Bitdefender patches critical vulnerability -CVE-2024-6980

Bitdefender has released a  patch for a critical vulnerability in its GravityZone Update Server. The vulnerability that could potentially allow attackers to perform server-side request forgery attacks ... Read more

Published Date: Aug 02, 2024 (3 months ago)
  • The Cyber Express
Weekly Vulnerability Report: Cyble Urges Fixes in ServiceNow, Outlook, Docker Engine

Cyble Research & Intelligence Labs (CRIL) researchers investigated 22 security vulnerabilities this week, plus industrial control system (ICS) vulnerabilities and dark web exploits, to help us arrive ... Read more

Published Date: Aug 01, 2024 (3 months ago)
  • TheCyberThrone
Apache OfBiz Vulnerability CVE-2024-32113 Exploited in wild

Security researchers have observed up ticking reconnaissance attempts for the CVE-2024-32113 vulnerability in Apache OFBiz. The vulnerability, described as a path traversal issue, poses significant ri ... Read more

Published Date: Aug 01, 2024 (3 months ago)
  • Cyber Security News
20,275 VMware ESXi Vulnerable Instances Exposed, Microsoft Warns of Massive Exploitation

Microsoft has issued a significant security alert regarding a vulnerability in VMware ESXi hypervisors, which ransomware operators have actively exploited. According to the Shadowserver Foundation, th ... Read more

Published Date: Jul 31, 2024 (3 months ago)
  • TheCyberThrone
Google fixes critical vulnerability CVE-2024-6990 in Chrome

Google has released the latest security update for its Chrome browser, addressing several critical vulnerabilities.The latest advisory includes three significant security fixes, two classified as high ... Read more

Published Date: Jul 31, 2024 (3 months ago)
  • TheCyberThrone
CISA adds CVE-2024-37085 to its KEV catalog

The U.S. CISA added an authentication bypass VMware ESXi vulnerability, tracked as CVE-2024-37085 with a CVSS score of 6.8, to its Known Exploited Vulnerabilities (KEV) catalog.The flaw is an authenti ... Read more

Published Date: Jul 31, 2024 (3 months ago)
  • TheCyberThrone
MOVEit fixes High Severity Vulnerability -CVE-2024-6576

Progress Software has warned customers about a new high-severity vulnerability that could allow attackers to escalate privileges within the system.The vulnerability tracked as CVE-2024-6576 with a CVS ... Read more

Published Date: Jul 30, 2024 (3 months ago)
  • Help Net Security
VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)

Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to ... Read more

Published Date: Jul 30, 2024 (3 months ago)
  • The Hacker News
VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by "several" ransomware groups to gain elevated permissions and deploy file-encrypting malware. The attac ... Read more

Published Date: Jul 30, 2024 (3 months ago)
  • Cyber Security News
Ransomware Gangs Exploiting VMware ESXi Auth Bypass Flaw for Mass Attacks

Microsoft researchers have found a critical vulnerability in VMware’s ESXi hypervisors. Ransomware operators are using this problem to attack systems. This vulnerability, CVE-2024-37085, allows threat ... Read more

Published Date: Jul 30, 2024 (3 months ago)
  • The Cyber Express
Ransomware Actors Exploit VMware ESXi Hypervisor Bug: Microsoft

Microsoft researchers have observed multiple ransomware operators exploiting a recently patched vulnerability in ESXi hypervisors to gain full administrative control over domain-joined ESXi servers. T ... Read more

Published Date: Jul 29, 2024 (3 months ago)
  • Ars Technica
Hackers exploit VMware vulnerability that gives them hypervisor admin

AUTHENTICATION NOT REQUIRED — Create new group called "ESX Admins" and ESXi automatically gives it admin rights. Getty Images Microsoft is urging users of VMware’s ESXi hypervisor to take immediate ... Read more

Published Date: Jul 29, 2024 (3 months ago)
  • TheCyberThrone
Apache Pinot fixes CVE-2024-39676

Apache Pinot has recently disclosed a serious security vulnerability that could allow unauthorized actors to access sensitive system information, potentially leading to data leaks and security breache ... Read more

Published Date: Jul 29, 2024 (3 months ago)
  • TheCyberThrone
Spring Cloud Dataflow Vulnerability -CVE-2024-37084

A critical vulnerability has been identified in Spring Cloud Data Flow, a popular microservices-based streaming and batch data processing platform used in Cloud Foundry and Kubernetes environments.Thi ... Read more

Published Date: Jul 26, 2024 (3 months, 1 week ago)
  • TheCyberThrone
Docker fixes Critical Vulnerability -CVE-2024-41110

Docker has released an urgent security advisory that has fixes for a critical vulnerability in certain versions of Docker Engine that allows attackers to bypass authorization plugins.The vulnerability ... Read more

Published Date: Jul 26, 2024 (3 months, 1 week ago)
  • TheCyberThrone
SIEMENS Fixes Several Vulnerabilities in SICAM Products

Siemens has released critical security advisory for its SICAM products vulnerabilities that could lead to unauthorized access and data leaks. The affected products include the SICAM A8000 RTUs, SICAM ... Read more

Published Date: Jul 25, 2024 (3 months, 1 week ago)
  • TheCyberThrone
Progress fixes Critical Vulnerability in Telerik -CVE-2024-6327

Progress Software’s has fixed two vulnerabilities in Telerik Reporting tools that could lead to full system compromise and allow attackers to remotely execute code or inject malicious objects into aff ... Read more

Published Date: Jul 25, 2024 (3 months, 1 week ago)
  • TheCyberThrone
Microsoft SmartScreen bug exploited in an infostealer campaign

Researchers have uncovered an info stealer campaign targeting Microsoft Windows users. This campaign exploits a known vulnerability to bypass security measures and steal sensitive data.The vulnerabili ... Read more

Published Date: Jul 25, 2024 (3 months, 1 week ago)
  • TheCyberThrone
Cisco fixes RCE Vulnerability in its Routers -CVE-2024-20416

Cisco has released a patch for a vulnerability in their RV340 and RV345 Dual WAN Gigabit VPN routers that could allow an authenticated attacker to remotely execute arbitrary code on affected devices.T ... Read more

Published Date: Jul 23, 2024 (3 months, 1 week ago)
  • TheCyberThrone
Oracle Fixes Critical Weblogic Server Vulnerability -CVE-2024-21181

Oracle has released patch for a critical vulnerability WebLogic Server product, that could lead to a complete takeover of the server. is easily exploitable and does not require any authentication, mak ... Read more

Published Date: Jul 22, 2024 (3 months, 1 week ago)

The following table lists the changes that have been made to the CVE-2024-37085 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Aug. 08, 2024

    Action Type Old Value New Value
    Removed CWE NIST NVD-CWE-Other
    Added CWE NIST CWE-287
    Changed CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:* OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Aug. 01, 2024

    Action Type Old Value New Value
    Added CWE CISA-ADP CWE-305
  • Initial Analysis by [email protected]

    Jul. 31, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 No Types Assigned https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 Patch, Vendor Advisory
    Added CWE NIST NVD-CWE-Other
    Added CPE Configuration OR *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 4.0 up to (including) 4.5.2 *cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:* versions from (including) 5.0 up to (excluding) 5.2 *cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:* *cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 31, 2024

    Action Type Old Value New Value
    Added Date Added 2024-07-30
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
    Added Due Date 2024-08-20
    Added Vulnerability Name VMware ESXi Authentication Bypass Vulnerability
  • CVE Received by [email protected]

    Jun. 25, 2024

    Action Type Old Value New Value
    Added Description VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
    Added Reference VMware https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 [No types assigned]
    Added CVSS V3.1 VMware AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability