VMware ESXi Backdoor Vulnerability (ESXiArgs Ransomware)
Summary
A critical vulnerability in the OpenSLP service of VMware ESXi that has been actively exploited by the ESXiArgs ransomware campaign.
Description
VMware ESXi contains a heap overflow vulnerability in the OpenSLP service that has been actively exploited in the wild by the ESXiArgs ransomware campaign. This vulnerability affects the OpenSLP service which is enabled by default on ESXi hosts.
The ESXiArgs ransomware campaign targets vulnerable ESXi servers, exploiting this vulnerability to deploy ransomware that encrypts virtual machine files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem) and demands ransom for decryption.
This vulnerability has been widely exploited since February 2023, affecting thousands of unpatched ESXi servers worldwide.
Affected Products
- ESXi 7.0 before ESXi70U1c-17325551
- ESXi 6.7 before ESXi670-202102401-SG
- ESXi 6.5 before ESXi650-202102101-SG
CVSS Score
About the Author
CISA
Government Agency
The Cybersecurity and Infrastructure Security Agency (CISA) is a United States federal agency responsible for improving cybersecurity across all levels of government and critical infrastructure.