CVE-2024-37085

What is VMware ESXi Active Directory Integration?

VMware ESXi supports integration with Active Directory (AD) for centralized user authentication, allowing organizations to manage ESXi host access using existing domain accounts rather than local ESXi credentials. When AD integration is configured, ESXi grants full administrative access to any user who is a member of a specific AD security group — by default named "ESXi Admins." This integration pattern is common in enterprise environments where hypervisor management is delegated to IT infrastructure teams who already use AD for access control. ESXi hypervisors are high-value targets for ransomware groups because encrypting all VMs on a hypervisor maximizes the scope of disruption in a single action — a ransomware group that gains ESXi admin access can encrypt an entire organization's virtual infrastructure at once.

Overview

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi's Active Directory integration. When the configured "ESXi Admins" AD group is deleted from Active Directory, ESXi does not properly revoke access for former group members — and when an attacker with AD domain admin privileges recreates a group with the same name, any user they add to the new group immediately gains full ESXi administrative access. Discovered by Microsoft Threat Intelligence, this vulnerability was rapidly exploited by multiple ransomware groups following disclosure, leading to CISA KEV addition on July 30, 2024.

Affected Versions

Technical Details

CWE-287 (Improper Authentication). When ESXi is configured to use AD for authentication with a designated administrator group (default: "ESXi Admins"), ESXi caches and trusts group membership information. A flaw in how ESXi handles the deletion and recreation of the configured AD group results in:

1. When the "ESXi Admins" group is deleted from AD, ESXi may continue granting access to former members (group deletion doesn't immediately revoke)
2. When an attacker recreates a group with the same name in AD and adds themselves, ESXi trusts the new group and grants its members full admin access

The attack requires that the attacker already have AD domain admin privileges (or equivalent AD permissions to manage security groups). In ransomware intrusions, attackers who have achieved domain admin via other means can exploit this to pivot from AD compromise to ESXi hypervisor compromise without needing ESXi-specific credentials.

Discovery

Discovered by Microsoft Threat Intelligence Center (MSTIC) during investigation of ransomware intrusions. Microsoft's analysis found multiple financially-motivated threat actors using this technique as part of post-domain-compromise ESXi takeover chains. Microsoft reported the vulnerability to Broadcom/VMware.

Exploitation Context

Following VMSA-2024-0013 disclosure, multiple ransomware groups rapidly weaponized CVE-2024-37085 as a standard step in their ESXi compromise playbook:

• Storm-0506 (Black Basta ransomware affiliate): Used after achieving AD domain compromise to encrypt ESXi infrastructure
• Storm-1175 (Medusa ransomware): Adopted the technique in enterprise intrusions
• Octo Tempest / Scattered Spider (ALPHV/BlackCat affiliate): Added to their ESXi targeting toolkit
• Manatee Tempest: Used in multiple incidents

The pattern is consistent: achieve domain admin through phishing, credential theft, or other initial access; then use CVE-2024-37085 to gain ESXi admin without needing to crack or steal vCenter/ESXi credentials specifically; then deploy ransomware to all VMs simultaneously for maximum impact.

Remediation

1. Apply VMware patches per VMSA-2024-0013 — ESXi 8.0 U3 or ESXi 7.0 U3r or later.
2. Verify the "ESXi Admins" AD group exists and audit its membership — remove any unexpected members.
3. Consider renaming the ESXi admin group from the default "ESXi Admins" to a custom name known only to your team — this requires updating ESXi configuration but reduces risk from generic group name targeting.
4. Enable AD integration monitoring: alert on deletion or recreation of the configured ESXi admin AD group.
5. Restrict who can create AD security groups — if only domain admins can create groups, the prerequisite for this exploit is harder to meet.
6. Consider migrating ESXi authentication from AD group integration to local credentials managed via a privileged access workstation (PAW) or privileged access management (PAM) solution, eliminating the AD dependency.
7. Enable ESXi host audit logging and forward to SIEM — alert on unexpected admin session creation or mass VM power-off/snapshot activity that precedes ransomware deployment.