SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2024-37085

CVE-2024-37085: VMware ESXi Auth Bypass Vulnerability

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi allowing attackers with AD permissions to gain full host access by re-creating deleted admin groups. This article covers technical details, impact, and mitigation.

Updated:

CVE-2024-37085 Overview

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Critical Impact

This vulnerability allows attackers to bypass authentication controls, potentially leading to complete control over affected systems.

Affected Products

  • VMware Cloud Foundation
  • VMware ESXi 7.0
  • VMware ESXi 8.0

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to VMware
  • Not Available - CVE CVE-2024-37085 assigned
  • Not Available - VMware releases security patch
  • 2024-06-25 - CVE CVE-2024-37085 published to NVD
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2024-37085

Vulnerability Analysis

The vulnerability allows an attacker with the ability to manipulate Active Directory settings to gain unauthorized access to an ESXi host. This is achieved by re-creating the 'ESXi Admins' group after its deletion, which is not properly verified by ESXi for authorization checks.

Root Cause

The root cause of this vulnerability is the improper handling and verification of Active Directory group configurations in VMware ESXi settings, enabling a bypass of the intended authentication process.

Attack Vector

Network

python
# Example exploitation code (sanitized)
def authenticate_bypass(ad_cred):
    # Simulate re-creation of deleted 'ESXi Admins' group
    if verify_ad_creds(ad_cred):
        print("Authenticated as ESXi Admin")
        return True
    return False

Detection Methods for CVE-2024-37085

Indicators of Compromise

  • Unexpected accounts or groups in Active Directory
  • Unauthorized access logs on ESXi servers
  • Modification of group management settings in AD

Detection Strategies

Utilize monitoring tools to observe changes in Active Directory group configurations and unauthorized access attempts to ESXi hosts. Inspect log files for unexpected authentication activities.

Monitoring Recommendations

Regularly review access logs and changes in group configurations within Active Directory. Employ automation scripts to alert on unauthorized group creation or modification.

How to Mitigate CVE-2024-37085

Immediate Actions Required

  • Audit and control Active Directory permissions
  • Monitor user and group changes
  • Implement strict logging and alerting on AD modifications

Patch Information

Consult VMware’s official advisory for patch details and apply security updates as soon as they are released.

Workarounds

Strengthen security protocols by verifying group existence actively before granting permissions.

bash
# Sample configuration to enhance security
ad_check() {
    if [ $(ad_query 'ESXi Admins') ]; then
        echo "Group exists. Proceeding with authentication."
    else
        echo "Group verification failed. Aborting."
    fi
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne