CVE-2024-37085 is an authentication bypass vulnerability (CVSS v3.1 7.2 HIGH per NVD) in domain-joined VMware ESXi hypervisors. An attacker with sufficient Active Directory privileges can gain full ESXi administrative control by creating or renaming an AD group called "ESX Admins," enabling ransomware deployment across virtualised server estates. Akira and Black Basta ransomware groups have exploited this vulnerability in the wild.
CVE-2024-37085 affects domain-joined VMware ESXi hypervisors running ESXi 7.0, ESXi 8.0, and VMware Cloud Foundation 4.x and 5.x - environments common across mid-market and enterprise organisations that rely on VMware for their virtualised server estate. According to Microsoft Threat Intelligence, the number of Microsoft Incident Response engagements involving the targeting and impacting of ESXi hypervisors more than doubled in the three years prior to this disclosure - a signal that hypervisors have become a primary ransomware target.
The Precursor Managed Detection & Response (MDR) team regularly triage intelligence from open sources, partners and vendors. Microsoft Threat Intelligence shared intel advising that domain-joined VMware ESXi hypervisors were vulnerable to an authentication bypass vulnerability simply by being part of an AD (Active Directory) group called "ESX Admins". The Precursor MDR team triaged this intelligence and produced multiple detection rules for existing customers. The MDR team also performed in-depth testing by emulating the malicious activity in a test environment and confirmed the following products detect this activity:
- CrowdStrike Falcon EDR (Endpoint Detection and Response)
- CrowdStrike Falcon Identity Threat Detection
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
The MDR team have been working with organisations to confirm their patch status, presence of this group in their Active Directory, evidence of prior compromise and guidance on further hardening recommendations.
This activity has been attributed by Microsoft Threat Intelligence to threat actors including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, and in several cases has led to Akira and Black Basta ransomware deployments. CVE-2024-37085 was added to CISA's Known Exploited Vulnerabilities catalog on 2024-07-30, with a federal agency remediation deadline of 2024-08-20. CISA explicitly flags it as known to be used in ransomware campaigns.
How Does the CVE-2024-37085 VMware ESXi Exploit Work?
CVE-2024-37085 is an authentication bypass vulnerability in domain-joined VMware ESXi hypervisors, carrying a CVSS v3.1 base score of 7.2 HIGH per NVD (the vendor, VMware/Broadcom, rates it 6.8 MEDIUM in advisory VMSA-2024-0013). The affected products and versions are:
| Product | Affected Versions |
|---|---|
| VMware ESXi | 7.0 (all sub-versions) |
| VMware ESXi | 8.0, 8.0a, 8.0b, 8.0c, 8.0 Update 1, 8.0 Update 1a, 8.0 Update 1c, 8.0 Update 1d, 8.0 Update 2, 8.0 Update 2b, 8.0 Update 2c |
| VMware Cloud Foundation | 4.0 through 5.1.x |
The exploitation of this vulnerability works by ensuring that the attacker is in an Active Directory environment where VMware ESXi servers are present and domain-joined. The root cause is that VMware ESXi trusts the "ESX Admins" AD group by default at the hypervisor level - but membership is validated by group name rather than by the AD security identifier (SID). This means a threat actor can gain full administrative control over any domain-joined ESXi host simply by creating a new group with the name "ESX Admins," or by renaming any existing AD group to that name. The hypervisor does not check that the group existed originally, nor does it validate the group's identity against its SID. As Microsoft Threat Intelligence described it, ESXi hypervisors do not validate that the "ESX Admins" group exists when the server is joined to a domain - they still treat any member of a group with this name as having full administrative access.
Microsoft Threat Intelligence shared the two following commands observed, executed on a beachhead host within the victim environment:
net group "ESX Admins" /domain /addnet group "ESX Admins" username /domain /add
The CVSS vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) includes Privileges Required: High - meaning the attacker must already hold sufficient Active Directory privileges to create or delete groups in the domain. This is an important nuance: the vulnerability enables privilege escalation to ESXi root-level access, but it requires an existing AD foothold with group management rights as a precondition. This is consistent with the post-compromise technique Microsoft describes, where threat actors leverage the vulnerability after establishing initial access through other means such as phishing or exploitation of separate Windows vulnerabilities.
If the attacker successfully exploits this vulnerability, they gain full control over the ESXi hypervisor and any guest virtual machines - typically the virtualised server estate - positioning them for mass encryption and data exfiltration. Microsoft documents a real-world example involving Storm-0506 attacking an engineering firm in North America, where exploitation of CVE-2024-37085 led to encryption of the ESXi file system and loss of functionality across hosted VMs.
How Can You Detect CVE-2024-37085 Activity in Your Environment?
The Precursor MDR team operate a true 24x7 service, so this intelligence was triaged overnight by the team and turned into detection rules that protect our customers across the UK, EMEA and other regions.
We first gathered initial assurance by testing popular EDR vendors CrowdStrike Falcon and Microsoft Defender, both of which detected and blocked this activity. This activity can and does occur on hosts without EDR coverage - partial EDR deployment is common across enterprise environments and represents a significant detection gap for this specific vulnerability. The Precursor MDR team overcome this by deploying our own agent to hosts and collecting telemetry into our SIEM (Security Information and Event Management) solution.
Multiple custom detections were created to bolster organisations' posture and resilience towards this vulnerability. Our custom SIEM detections cover the primary activity categories associated with this vulnerability: AD group creation events, group membership modification, command-line execution of net group commands consistent with the observed attacker technique, and ESXi login events that occur in proximity to AD group changes.
- We have 5+ custom SIEM detections that cover this activity across the categories above.
- Microsoft Defender for Endpoint and Defender for Identity detect this activity.
- CrowdStrike Falcon EDR and Falcon Identity Threat Detection detect this activity.
The table below summarises detection coverage across the security products confirmed to address CVE-2024-37085 activity:
| Security Product | Detection Type | Alert Fidelity | Requires EDR on ESXi Host | Identity-Layer Visibility Required |
|---|---|---|---|---|
| CrowdStrike Falcon EDR | Process/command-line execution (net group commands) | High | Yes | No |
| CrowdStrike Falcon Identity Threat Detection | AD group change event, identity-layer alert | High | No | Yes |
| Microsoft Defender for Endpoint | Process execution; "Suspicious modifications to ESX Admins group" alert | High | No (alert fires on Windows hosts) | No |
| Microsoft Defender for Identity | "Suspicious creation of ESX group" identity alert | High | No | Yes |
| Precursor custom SIEM detections | AD group creation, group membership modification, net group command execution, ESXi login proximity events | High | No | No |
What Steps Should You Take to Protect VMware ESXi from Ransomware Exploitation?
Monitor for AD Group Creation and Modification
Enable and actively review logging for Active Directory group creation and modification events across your entire AD estate. For CVE-2024-37085 specifically, the critical signal is the creation or renaming of any group to "ESX Admins" - an event that would be routine in a legitimate admin workflow only when intentionally provisioning VMware ESXi management access. Configure your SIEM or EDR to alert on net group command-line execution, particularly when executed against the domain, and correlate with any subsequent ESXi authentication events. Microsoft Defender for Identity fires a "Suspicious creation of ESX group" alert for this specific activity. Ensure these alerts route to your SOC for same-day review rather than sitting in a backlog.
Ensure 100% EDR Coverage Across All Hosts
Review which hosts - especially your most critical infrastructure - do not have EDR deployed with a correctly loaded configuration. 100% EDR coverage matters for this vulnerability specifically because the exploit technique can be executed from any Windows host on the domain that has sufficient AD privileges: the attacker's beachhead host is where the net group commands run, not the ESXi hypervisor itself. VMware ESXi hosts typically have no native EDR agent, so detection must occur at the Windows layer where the AD manipulation takes place. Partial EDR deployment - common in enterprise environments that have grown through acquisition or have legacy exclusion policies - creates blind spots at precisely the hosts an attacker is likely to use as a beachhead. Identify any host without EDR coverage and treat it as an unmonitored attack surface.
Test Your Detections and EDR Blocks Regularly
Where possible, validate that your EDR and SIEM detections block or alert on this specific activity in a controlled test environment before relying on them in production. The Precursor MDR team validated CrowdStrike Falcon EDR, CrowdStrike Falcon Identity Threat Detection, Microsoft Defender for Endpoint, and Microsoft Defender for Identity against emulated CVE-2024-37085 activity - each returned expected detections. If your organisation uses different tooling, or if your EDR deployment is partial, consider engaging a third party to run a targeted detection validation exercise. Custom SIEM detections that cover AD group manipulation and command-line execution of net group commands are a reliable backstop where EDR coverage has gaps.
Apply Patches to Mission-Critical Infrastructure Promptly
Apply the available Broadcom patches to affected VMware ESXi and VMware Cloud Foundation environments as a priority. The patch availability differs by version - this is an operationally significant distinction:
| Product | Version | Remediation |
|---|---|---|
| VMware ESXi | 8.0 | Patch available: ESXi80U3-24022510 |
| VMware ESXi | 7.0 | No patch available - apply workaround only (KB369707) |
| VMware Cloud Foundation | 5.x | Patch to version 5.2 |
| VMware Cloud Foundation | 4.x | No patch available - apply workaround only (KB369707) |
Organisations running ESXi 7.0 or VMware Cloud Foundation 4.x cannot simply patch and move on - they must apply the configuration workaround documented in Broadcom KB369707 and confirm it is correctly applied. Track patch and workaround status for all hypervisors in your estate, and prioritise those joined to the Active Directory domain, as those are the only instances exposed to this specific attack vector.
CVE-2024-37085 carries a CVSS score of 7.2 HIGH (NVD) and is being actively exploited by ransomware operators including Storm-0506 and Octo Tempest. Applying the Broadcom patch or workaround and validating your detection coverage are the two most time-sensitive actions. If you need support validating your VMware ESXi exposure or testing detection coverage across your environment, contact the Precursor MDR team.
References
- Broadcom Security Advisory VMSA-2024-0013 - VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2024-37085, CVE-2024-37086, CVE-2024-37087). Published 2024-06-25, updated 2024-08-12.
- Microsoft Threat Intelligence Blog - "Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption." Published 2024-07-29.
- NVD CVE-2024-37085 Record - National Vulnerability Database entry. CVSS v3.1 score 7.2 HIGH. Published 2024-06-25.
- CISA Known Exploited Vulnerabilities Catalog - CVE-2024-37085 - Added 2024-07-30. Federal remediation deadline: 2024-08-20.
- Broadcom KB369707 - ESXi 7.0 / VCF 4.x Workaround - In-product workaround instructions for versions without an available patch.