Microsoft researchers have discovered a vulnerability in ESXi hypervisors, identified as CVE-2024-37085. This flaw is being exploited by ransomware operators to gain full administrative access to domain-joined ESXi hypervisors, enabling them to encrypt file systems, access hosted virtual machines, and move laterally within networks. The vulnerability stems from a default configuration issue that allows members of a domain group named "ESX Admins" to have full administrative privileges. It is recommended to update ESXi to the most recent versions.
The vulnerability involves a group named "ESX Admins," which, if created or renamed in an Active Directory domain, grants its members full administrative access to domain-joined ESXi hypervisors. This occurs due to a lack of validation by ESXi hypervisors, which incorrectly grant such access based on the group name rather than a security identifier (SID).
The vulnerability can be exploited through several methods, including creating the "ESX Admins" group, renaming an existing group to "ESX Admins," or exploiting delayed privilege refresh in ESXi. This flaw has been used in attacks by ransomware operators such as Storm-0506 and Storm-1175, leading to ransomware deployments like Akira and Black Basta.