AI description
CVE-2024-37085 is an authentication bypass vulnerability affecting VMware ESXi. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management. This can be achieved by re-creating the configured AD group (named 'ESXi Admins' by default) after it has been deleted from AD. Successful exploitation allows an attacker who has already gained limited system rights on a targeted server to escalate their privileges and gain full administrative control of the ESXi hypervisor. With this level of access, an attacker can manipulate the hypervisor's settings, control the guest operating systems, and potentially encrypt the file system.
- Description
- VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
- Source
- security@vmware.com
- NVD status
- Modified
- Products
- cloud_foundation, esxi
CVSS 3.1
- Type
- Primary
- Base score
- 7.2
- Impact score
- 5.9
- Exploitability score
- 1.2
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- VMware ESXi Authentication Bypass Vulnerability
- Exploit added on
- Jul 30, 2024
- Exploit action due
- Aug 20, 2024
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- Hype score
- Not currently trending
🚨 ¡Alerta de seguridad crítica! 🚨 Se ha identificado la vulnerabilidad CVE-2024-37085, que permite omisión de autenticación en Active Directory. 🛡️ Esta brecha podría dar acceso no autorizado a recursos valiosos. ¡Es crucial actuar ahora! 🔧 🔍 Recomienda: Aplicar parches y…
@antu_tech
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hypervisors were “untouchable” until CVE-2024-37085: create “ESX Admins,” own ESXi. UNC3944 dials IT; Black Basta turns off the lights. Patch, segment, keep backups holy. 🔧😈 Skim the playbook and subscribe -> https://t.co/wrEXN3EXpn #AlphaHunt #CyberSecurity #R
@alphahunt_io
15 Oct 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Hypervisor ransomware learned a new trick: CVE-2024-37085 + AD abuse = ESXi pancake. Patch late, encrypt early. 🔥🔒 We map the kill chain and stop the blast radius before your VMs flatline. Get the playbook—then subscribe for the next hit. https://t.co/wrEXN3EXpn #Alpha
@alphahunt_io
30 Sept 2025
56 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-37085 + AD abuse = hypervisor chaos. VMware ESXi under siege—patch, segment, survive. 🔥🔒 Read: https://t.co/wrEXN3EXpn Want fast, actionable threat calls? Subscribe. https://t.co/wrEXN3EXpn #AlphaHunt #CyberSecurity #VMware
@alphahunt_io
24 Sept 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ransomware crews turned CVE-2024-37085 into an ESXi kill switch. Add AD misconfigs + Babuk-leak code = entire farms locked overnight. Hope your “immutable” backups aren’t imaginary. 🕷️💀 Read the breakdown & subscribe/ https://t.co/wrEXN3EXpn #AlphaHunt #CyberS
@alphahunt_io
11 Sept 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Scattered Spider phishes help desks, rides CVE-2024-37085 + AD group abuse to ESXi root; Babuk-leak lockers do the cleanup. Patch now, lock AD, test restores—before your farm pays rent in crypto. 🕷️🔒 Read the breakdown & subscribe https://t.co/wrEXN3EXpn #AlphaHu
@alphahunt_io
5 Sept 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Scattered Spider is back in your vSphere: help-desk phish + CVE-2024-37085 AD group trick → root on ESXi; Babuk-built lockers finish the job. FBI/CISA just updated guidance. Patch, lock AD, test restores. Read more / subscribe https://t.co/wrEXN3EXpn #AlphaHunt #CyberSecurit
@alphahunt_io
22 Aug 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ransomware vulns with highest exploit likelihood ⬆️ (past 30d): - CVE-2025-53770 (SharePoint..) +108108.75% - CVE-2023-20269 (ASA..) +58.41% - CVE-2023-20269 (FTD..) +58.41% - CVE-2024-42057 (Zyxel Firewall..) +29.73% - CVE-2024-37085 (ESXi..) +20.63%
@DefusedCyber
18 Aug 2025
20187 Impressions
30 Retweets
184 Likes
111 Bookmarks
2 Replies
1 Quote
Scattered Spider hackers are hitting VMware ESXi systems in retail, airlines, and more—using social engineering and custom rootkits. Patch CVE-2024-37085, restrict SSH access, and watch for unusual ESXi activity. Details: https://t.co/40bWOD0MEq
@RedTeamNewsBlog
27 Jul 2025
89 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
VMware changes default Active Directory Integration settings CVE-2024-37085, CVE-2024-37086, CVE-2024-37087 https://t.co/bUYfef9stt
@vspinmaster
7 Jun 2025
165 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
VMware changes default Active Directory Integration settings CVE-2024-37085, CVE-2024-37086, CVE-2024-37087 https://t.co/bUYfef9stt
@vspinmaster
25 Apr 2025
104 Impressions
0 Retweets
2 Likes
1 Bookmark
0 Replies
0 Quotes
Actively exploited CVE : CVE-2024-37085
@transilienceai
24 Nov 2024
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#Akira #Ransomware DLS is online again. hxxps://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/ Their favorite vulnerabilities used in different breaches are: CVE-2023-27532, CVE-2024-37085 https://t.co/ep1WtMrFtF
@ShanHolo
11 Nov 2024
541 Impressions
4 Retweets
10 Likes
2 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7FA8DFE6-9C74-4711-A8AF-3B170876A1F9",
"versionEndExcluding": "5.2",
"versionStartIncluding": "4.0"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "48D2E2D5-A0B8-4AF1-BF4A-30154F754C94"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7A1A402A-9262-4B97-A0B7-E5AE045E394D"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FE44B379-9943-4DD1-8514-26F87482AFA8"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2A797377-8945-4D75-AA68-A768855E5842"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "79D84D76-54BE-49E9-905C-7D65B4B42D68"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2F8767F7-7C3D-457D-9EAC-E8A30796F751"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "29AF8474-2D7A-4C5A-82B9-7A873AD90C2E"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7781A2CA-D927-48CD-9932-AE42B7BA1EFE"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "18FD08C9-5895-4BF4-BBE0-C2DDA5F6B836"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "360C1B71-5360-4379-B0DE-63BB8F5E6DA2"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B16ED7C1-9881-452A-8BE0-EDDEAEFE3D7B"
},
{
"criteria": "cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ED92209F-FBD6-43F9-9A15-3842B139FCC9"
}
],
"operator": "OR"
}
]
}
]