Critical ESXi Authentication Bypass: Defending Against CVE-2024-37085 and AD-Based Lateral Movement
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
FREQUENTLY ASKED
What is CVE-2024-37085 and why does it matter?
CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi with a CVSS score of 6.8. It allows actors with Active Directory permissions to gain full access to an ESXi host by re-creating a specific AD group. This is critical because it has been observed in active ransomware campaigns, potentially leading to total infrastructure compromise.
Which versions of VMware ESXi are affected by this vulnerability?
The affected versions include VMware ESXi 8.0, 7.0, 5.x, 4.x, 5.0, and 4.0. Organizations using any of these versions that have been configured to use Active Directory for user management are potentially vulnerable and should prioritize updates or mitigations immediately.
Has a patch been released for CVE-2024-37085?
Yes, Broadcom has released patches and official security advisories for CVE-2024-37085. Administrators should refer to the official support documentation at https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 to obtain the necessary updates for their specific environment.
What is the remediation deadline and what does it mean for compliance?
The remediation deadline is set for 2024-08-20. For organizations following CISA guidelines or federal mandates, this date represents the final point by which the vulnerability must be mitigated or patched to maintain compliance and ensure protection against known exploitation attempts.
How can I check if my ESXi deployment is affected by CVE-2024-37085?
To check if an instance is affected, administrators should verify if their ESXi hosts are joined to an Active Directory domain. If the host uses AD for management and is running an affected version (such as 8.0 or 7.0), it is vulnerable unless the official patches from the vendor have been applied.
CVE-2024-37085 identifies a significant authentication bypass vulnerability in VMware ESXi, carrying a CVSS score of 6.8 (Medium) and an EPSS score of 0.71917, placing it in the 98.8th percentile for exploitation risk. This flaw allows attackers with specific Active Directory permissions to obtain full administrative access to ESXi hosts. Given its active use in ransomware operations, organizations must prioritize remediation before the August 20, 2024, deadline.
Vulnerability Profile
Field
Value
CVE ID
CVE-2024-37085
Affected Product & Versions
ESXi 8.0, 7.0, 5.x, 4.x
CVSS Score & Severity
6.8 (MEDIUM)
CVSS Version
3.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
CWE IDs
CWE-305
Date Disclosed
2024-07-30
Remediation Deadline
2024-08-20
SSVC Exploitation status
Active
Known Ransomware Use
Yes
EPSS Score & Percentile
0.71917 (98.8%)
Patch Available
Yes
Vulnerability Overview: The Mechanism of CVE-2024-37085
VMware ESXi hosts often integrate with Microsoft Active Directory (AD) to streamline user management and centralize authentication. By default, when an ESXi host joins an AD domain, it designates a specific AD group—traditionally named "ESXi Admins"—to be granted full administrative privileges on the host. CVE-2024-37085 arises from a logical flaw in how ESXi validates the existence and membership of this group.
The vulnerability is triggered when the "ESXi Admins" group is deleted from the AD domain and subsequently re-created. A malicious actor with sufficient permissions within Active Directory to create groups can re-create this group, even if they do not possess administrative rights on the ESXi host itself. Upon the group's re-creation, the ESXi host automatically grants full administrative access to any user belonging to that newly created group. This represents a significant failure in the trust relationship between the hypervisor and the identity provider.
Technical Deep Dive: CWE-305 and the Active Directory Attack Surface
This vulnerability is classified under CWE-305: Authentication Bypass by Primary Weakness. In the context of CVE-2024-37085, the "primary weakness" is the hypervisor's reliance on a group name rather than a more secure, immutable identifier (such as a Security Identifier or SID) that is uniquely tied to the original authorized group.
The Attack Chain
Pre-requisite State: The ESXi host is joined to an Active Directory domain and configured to recognize the default "ESXi Admins" group.
Group Deletion: The original "ESXi Admins" group is removed from the AD environment (either through routine maintenance or malicious intent).
Group Re-creation: An attacker with AD permissions (specifically those allowing the creation of groups) re-creates a group with the exact same name.
Bypass Execution: The attacker adds their own account to this new group. The ESXi host, upon its next sync or authentication check, identifies the group name match and grants the attacker full administrative control over the host.
Blast Radius and Ransomware Context
The blast radius of this vulnerability is total technical impact. A compromise of an ESXi host allows an attacker to manipulate, exfiltrate, or encrypt all virtual machines (VMs) running on that host. The high EPSS score (0.71917) and confirmed ransomware use indicate that threat actors are actively leveraging this flaw to escalate privileges within enterprise environments. Once an attacker gains a foothold in AD, they use this bypass to move laterally from the identity management layer to the virtualization layer, which often contains the organization's most sensitive data and critical services.
Who Is Affected: Impact Assessment and Compliance Standards
This vulnerability affects a wide range of VMware ESXi deployments, specifically versions 8.0, 7.0, and legacy versions 5.x and 4.x. Any organization utilizing ESXi in a domain-joined configuration is at risk.
Compliance and Regulatory Notes
For United States federal agencies and organizations adhering to CISA (Cybersecurity and Infrastructure Security Agency) guidelines, this vulnerability falls under BOD 22-01 (Binding Operational Directive). The remediation deadline of August 20, 2024, is a strict mandate for federal civilian executive branch agencies to apply patches. For private sector organizations, this deadline serves as a benchmark for high-priority risk management, as the "active exploitation" status suggests that scanners and automated exploit kits may already be targeting these misconfigurations.
Official Remediation Steps and Mitigation Pathways
The primary remediation for CVE-2024-37085 is the application of official security patches provided by Broadcom.
Step-by-Step Recovery
Identify Vulnerable Hosts: Audit all ESXi hosts to determine their version and whether they are joined to an Active Directory domain.
Verify Group Membership: Check the Active Directory environment for the presence of the "ESXi Admins" group and audit its membership history.
Apply Patches: Download and install the relevant patches from the Broadcom Support Portal. Ensure that ESXi 8.0 and 7.0 hosts are updated to the latest minor versions specified in the advisory.
Review Configuration: If patching is not immediately feasible, consider temporarily removing ESXi hosts from the AD domain or changing the default administrative group name to a non-standard value that is not easily guessed or re-created.
Strategic Security Best Practices for Virtualization Hardening
To defend against CWE-305 and similar authentication bypasses, security teams should implement the following defense-in-depth measures:
Implement AD Change Monitoring: Deploy monitoring solutions that alert on the creation, deletion, or modification of high-privilege groups in Active Directory, specifically those tied to infrastructure management.
Transition to SID-Based Auth: Where possible, configure infrastructure components to use Security Identifiers (SIDs) rather than simple string-based group names for authentication.
Isolate Management Networks: Ensure that ESXi management interfaces are isolated on a dedicated, firewalled management network that is not accessible from the general corporate LAN.
Enforce Multi-Factor Authentication (MFA): Apply MFA to all administrative access points, including the accounts used for Active Directory management and hypervisor access.
Principle of Least Privilege (PoLP): Restrict group creation permissions in Active Directory. Only a highly limited number of users should have the ability to create or delete groups within the organizational units (OUs) that manage infrastructure access.
Regular Configuration Audits: Use automated tools to periodically audit the authentication settings of ESXi hosts to ensure they align with the latest security hardening guides from VMware and CIS (Center for Internet Security).