CVE-2024-37085 Overview
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.
Critical Impact
This vulnerability allows attackers to bypass authentication controls, potentially leading to complete control over affected systems.
Affected Products
- VMware Cloud Foundation
- VMware ESXi 7.0
- VMware ESXi 8.0
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to VMware
- Not Available - CVE CVE-2024-37085 assigned
- Not Available - VMware releases security patch
- 2024-06-25 - CVE CVE-2024-37085 published to NVD
- 2025-10-30 - Last updated in NVD database
Technical Details for CVE-2024-37085
Vulnerability Analysis
The vulnerability allows an attacker with the ability to manipulate Active Directory settings to gain unauthorized access to an ESXi host. This is achieved by re-creating the 'ESXi Admins' group after its deletion, which is not properly verified by ESXi for authorization checks.
Root Cause
The root cause of this vulnerability is the improper handling and verification of Active Directory group configurations in VMware ESXi settings, enabling a bypass of the intended authentication process.
Attack Vector
Network
# Example exploitation code (sanitized)
def authenticate_bypass(ad_cred):
# Simulate re-creation of deleted 'ESXi Admins' group
if verify_ad_creds(ad_cred):
print("Authenticated as ESXi Admin")
return True
return False
Detection Methods for CVE-2024-37085
Indicators of Compromise
- Unexpected accounts or groups in Active Directory
- Unauthorized access logs on ESXi servers
- Modification of group management settings in AD
Detection Strategies
Utilize monitoring tools to observe changes in Active Directory group configurations and unauthorized access attempts to ESXi hosts. Inspect log files for unexpected authentication activities.
Monitoring Recommendations
Regularly review access logs and changes in group configurations within Active Directory. Employ automation scripts to alert on unauthorized group creation or modification.
How to Mitigate CVE-2024-37085
Immediate Actions Required
- Audit and control Active Directory permissions
- Monitor user and group changes
- Implement strict logging and alerting on AD modifications
Patch Information
Consult VMware’s official advisory for patch details and apply security updates as soon as they are released.
Workarounds
Strengthen security protocols by verifying group existence actively before granting permissions.
# Sample configuration to enhance security
ad_check() {
if [ $(ad_query 'ESXi Admins') ]; then
echo "Group exists. Proceeding with authentication."
else
echo "Group verification failed. Aborting."
fi
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
