CVE-2024-37085

CVSS 6.8 MEDIUMEPSS 26.8%● KEVCWE-305

In short

VMware ESXi can be compromised if a malicious actor with Active Directory admin rights deletes and recreates the default ESXi admin group, bypassing authentication and gaining full host access. This matters because it allows attackers to take complete control of virtualized infrastructure.

Technical detail

An authentication bypass exists in VMware ESXi when configured for AD-based user management (CWE-305). An attacker with sufficient AD permissions can delete the configured ESXi admin group and recreate it with their own membership, circumventing the intended access controls and gaining unauthorized administrative access to the ESXi host.

Summary generated and translated by AI from the official description.

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Affected products

n/a · VMware Cloud Foundation n/a · VMware ESXi

public PoCs found — 3

githubgithub.com/mahmutaymahmutay/CVE-2024-37085★ 2 githubgithub.com/WTN-arny/Vmware-ESXI★ 0 githubgithub.com/WTN-arny/CVE-2024-37085★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37085