Skip to main content

Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

Advisory: Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

Advisory
06 Feb 2023

 

Background

A new wave of ransomware attacks targeting VMware ESXi hypervisors are exploiting a known vulnerability CVE-2021-21974 on unpatched systems. The issue is an Open Service Location Protocol (OpenSLP) heap-overflow vulnerability that can lead to remote code execution.

 

Impact

Possible loss and leakage of data

 

Affected Versions

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

 

Recommendations

  • Upgrade to the latest version of ESXi
  • Apply all patches available for ESXi hypervisor
  • Restrict access to OpenSLP service to only trusted IP addresses
  • Perform a system scan to detect any signs of compromise
  • Regularly backup data. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.

 

References