SecurityWeek reports that over 20,000 internet-exposed VMware ESXi hypervisors continue to be impacted by the actively exploited medium-severity authentication bypass vulnerability, tracked as CVE-2024-37085, by the end of July, one week after patches were issued by VMware.
Despite the elevated detections, workarounds may have already been applied in some VMware ESXi instances, according to The Shadowserver Foundation. Shadowserver's findings come after Microsoft reported the flaw to be leveraged by several ransomware operations to obtain admin privileges in vulnerable VMware ESXi hypervisors and eventually facilitate Akira and Black Basta ransomware infections. "Successful exploitation leads to full administrative access to the ESXi hypervisors, allowing threat actors to encrypt the file system of the hypervisor, which could affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network," said Microsoft.
