CVE-2024-37085 is an authentication bypass vulnerability affecting VMware ESXi versions 7.0 and 8.0. VMware ESXi supports integration with Active Directory (AD) for user management, allowing AD groups to control administrative access to ESXi hosts. The vulnerability arises when an attacker with sufficient permissions in AD deletes the configured ESXi administrative group (by default named 'ESXi Admins') and then re-creates it. Due to improper validation or synchronization mechanisms within ESXi's AD integration, the re-created group is treated as the original, granting the attacker full administrative access to the ESXi host without proper authentication. This flaw is classified under CWE-305 (Authentication Bypass by Primary Weakness). Exploitation requires the attacker to have high privileges in the AD environment and to perform user interaction steps such as deleting and re-creating AD groups. The vulnerability impacts confidentiality, integrity, and availability of the ESXi host, potentially allowing full control over virtualized workloads. No patches have been released at the time of disclosure, and no known exploits are in the wild. The CVSS v3.1 score is 6.8, indicating medium severity, with attack vector network, low attack complexity, high privileges required, and user interaction needed.

This vulnerability can have severe consequences for organizations relying on VMware ESXi hosts integrated with Active Directory for user management. An attacker with sufficient AD privileges can bypass ESXi authentication controls, gaining full administrative access to the host. This access enables the attacker to manipulate virtual machines, steal sensitive data, disrupt services, or deploy malware within the virtualized environment. The compromise of ESXi hosts can cascade to affect multiple virtual machines and critical workloads, impacting business continuity and data confidentiality. Given the reliance on AD in many enterprise environments, the attack surface is significant where AD permissions are not tightly controlled. The requirement for high AD privileges limits the threat to insiders or attackers who have already compromised AD accounts, but the impact of such an escalation is critical. Organizations operating in sectors with high virtualization usage, such as finance, healthcare, government, and cloud service providers, face elevated risks.

1. Immediately audit and restrict Active Directory permissions to ensure only trusted administrators can modify AD groups, especially those related to ESXi access. 2. Monitor and alert on any creation, deletion, or modification of the ESXi administrative groups in AD to detect suspicious activity early. 3. Implement strict change management and logging for AD group modifications. 4. Consider temporarily disabling AD integration for ESXi hosts if feasible until patches are released. 5. Use multi-factor authentication and strong access controls for AD administrators to reduce risk of credential compromise. 6. Segment management networks and restrict network access to ESXi hosts to trusted personnel only. 7. Regularly review VMware and security vendor advisories for patches or updates addressing this vulnerability and apply them promptly once available. 8. Employ endpoint detection and response (EDR) tools to detect anomalous activity on ESXi hosts. 9. Conduct security awareness training for AD administrators about the risks of group modifications. These steps go beyond generic advice by focusing on AD permission hygiene, monitoring, and operational controls specific to this vulnerability's exploitation vector.