BACK TO NEWS
Breaking NewsHigh

VMware ESXi Sandbox Escape Flaw Actively Exploited in Ransomware Campaigns

2 min readSource: BleepingComputer

CISA warns that threat actors are leveraging a high-severity VMware ESXi vulnerability (CVE-2024-37085) in ransomware attacks, following zero-day exploitation.

VMware ESXi Vulnerability Exploited in Ransomware Attacks, CISA Confirms

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that ransomware groups are actively exploiting a high-severity VMware ESXi sandbox escape vulnerability, previously leveraged in zero-day attacks. The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday, underscoring the urgent need for organizations to apply available patches.

Technical Details of CVE-2024-37085

The vulnerability, tracked as CVE-2024-37085 (CVSS score pending), allows attackers with administrative access to a guest virtual machine (VM) to escape the sandbox and execute arbitrary code on the underlying ESXi hypervisor. This type of exploit poses severe risks, as it can lead to full system compromise, lateral movement within networks, and deployment of ransomware or other malicious payloads.

VMware released patches for the flaw in its June 2024 security advisory, addressing multiple vulnerabilities in ESXi, Workstation, and Fusion products. However, CISA’s inclusion of CVE-2024-37085 in the KEV catalog indicates that unpatched systems remain a prime target for threat actors.

Impact and Threat Landscape

Ransomware groups, including those affiliated with high-profile operations like LockBit and Black Basta, have historically targeted VMware ESXi environments due to their prevalence in enterprise and cloud infrastructures. The exploitation of CVE-2024-37085 aligns with a broader trend of attackers focusing on virtualization platforms to maximize their impact.

Organizations running unpatched ESXi servers risk:

  • Full hypervisor compromise, enabling attackers to control all hosted VMs.
  • Data encryption and exfiltration, leading to operational disruptions and financial losses.
  • Lateral movement into connected networks, amplifying the scope of an attack.

Recommendations for Security Teams

CISA urges organizations to prioritize patching CVE-2024-37085 immediately. Additional mitigations include:

  • Isolating critical VMs from less secure environments to limit potential damage.
  • Monitoring for unusual activity on ESXi hosts, such as unexpected VM migrations or unauthorized administrative actions.
  • Implementing network segmentation to contain potential breaches.
  • Reviewing VMware’s security advisories for updates on related vulnerabilities (e.g., CVE-2024-37086, CVE-2024-37087).

For further guidance, refer to CISA’s advisory and VMware’s patch documentation.

Original reporting by Sergiu Gatlan for BleepingComputer.

Share

TwitterLinkedIn