CVE-2024-37085

MEDIUM KEV RANSOMWARE

VMware ESXi - Authentication Bypass via Recreated Active Directory Group

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2024-37085 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 30, 2024, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including mahmutaymahmutay, WTN-arny.

AI-analyzed exploit summary This Python script scans for signs of CVE-2024-37085 exploitation in ESXi by checking authentication logs via SSH. It does not exploit the vulnerability but detects potential exploitation attempts.

Description

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Exploits (3)

nomisec SCANNER 2 stars
by mahmutaymahmutay · poc
https://github.com/mahmutaymahmutay/CVE-2024-37085

This Python script scans for signs of CVE-2024-37085 exploitation in ESXi by checking authentication logs via SSH. It does not exploit the vulnerability but detects potential exploitation attempts.

Classification
Scanner 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: VMware ESXi
Auth required
Prerequisites: SSH access to the target ESXi host · Valid credentials for authentication · A JSON file named 'assets.json' containing device information
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by WTN-arny · poc
https://github.com/WTN-arny/CVE-2024-37085

The repository claims to exploit an unauthenticated shell upload vulnerability in domain-joined ESXi hypervisors but provides no actual exploit code. Instead, it directs users to external download links and requests payment for the exploit.

Classification
Suspicious 95%
Attack Type
Auth Bypass
Complexity
Theoretical
Reliability
Theoretical
Target: VMware ESXi (version not specified)
No auth needed
Prerequisites: ESXi shell must be enabled · Domain-joined ESXi hypervisor
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS
by WTN-arny · poc
https://github.com/WTN-arny/Vmware-ESXI

The repository claims to exploit CVE-2024-37085, an unauthenticated shell upload vulnerability in VMware ESXi, but provides no actual exploit code. Instead, it directs users to external download links and requests payment for the exploit.

Classification
Suspicious 95%
Attack Type
Auth Bypass
Complexity
Theoretical
Reliability
Theoretical
Target: VMware ESXi (domain-joined hypervisors)
No auth needed
Prerequisites: ESXi shell must be enabled · Python 3.10 or above
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.8
EPSS 0.8027
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2024-07-30
VulnCheck KEV 2024-04-23
InTheWild.io 2024-07-30
ENISA EUVD EUVD-2024-36416
Ransomware Use Confirmed
CWE
CWE-305 CWE-287
Status published
Products (3)
vmware/cloud_foundation 4.0 - 5.2
vmware/esxi 7.0
vmware/esxi 8.0 (11 CPE variants)
Published Jun 25, 2024
KEV Added Jul 30, 2024
Tracked Since Feb 18, 2026