Skip to main content
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

VMware ESXi Active Directory Integration Authentication Bypass

IdentifiersCVE-2024-37085CWE-305· Authentication Bypass by Primary…

CVE-2024-37085 is an authentication bypass vulnerability in VMware ESXi affecting hosts that are joined to Active Directory for user management. On vulnerable domain-joined ESXi systems, membership in a specially named AD group is treated as sufficient for full ESXi administrative access without proper validation. The issue is described as involving the ESXi behavior of automatically granting administrator privileges to members of the configured AD management group, commonly referenced in reporting as "ESX Admins" and in some Broadcom materials as "ESXi Admins." An attacker with sufficient permissions in Active Directory can exploit the flaw by creating, recreating, or renaming a domain group to the expected name and adding a controlled account to that group. ESXi then grants that account full administrative privileges on the host. Reporting also indicates stale elevated access may persist until an ESXi privileges refresh is performed.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized administrative access to the ESXi host. In practice this gives an attacker full control of the hypervisor management plane and, by extension, the ability to control hosted virtual machines. Observed impacts in the wild include ransomware deployment, mass encryption of VMs, disruption of virtualized infrastructure, and follow-on privilege escalation and persistence within the environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding or removing direct Active Directory integration for ESXi where operationally feasible and using local ESXi accounts instead. Closely monitor AD for creation, deletion, or modification of groups named "ESX Admins" or "ESXi Admins," and alert on commands such as net.exe/net1.exe used to create such groups. Restrict who can create or rename AD groups, enforce least privilege on AD administrative roles, and tightly control access to ESXi management interfaces. Additional hardening measures noted in supporting content include MFA for management access, segmented management networks, bastion/jump-host administration, and ensuring ESXi hosts are not directly exposed to the internet.

Remediation

Patch, then assume compromise.

Apply Broadcom/VMware patches for CVE-2024-37085 to affected ESXi deployments. Review ESXi hosts joined to Active Directory and verify whether the privileged AD group mapping is present or can be abused. Check for creation or modification of suspicious groups named "ESX Admins" and "ESXi Admins," depending on environment behavior and vendor guidance. After corrective actions, initiate an ESXi Hypervisor Privileges refresh so stale elevated permissions are removed and privilege assignments are recalculated correctly.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
BroadcomCloud Foundationapplication
BroadcomEsxioperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

40 SOURCESView more in app
detectNews
Apr 24, 2026
Analyzing GLOBAL GROUP (BlackLock) Artifacts | by SIMKRA | Apr, 2026 | Detect FYI

A VMware ESXi / Active Directory authentication weakness that can grant full ESXi administrative rights to members of a specially named AD group, enabling rapid hypervisor compromise.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Potential Web Shell Creation For VMware Workspace ONE | Splunk Security Content

A named VMware ESXi Active Directory integration authentication bypass vulnerability referenced as an associated analytic story, without further detail in the content.

Read more
splunk researchNews
Feb 25, 2026
Detection: Windows ESX Admins Group Creation via Net | Splunk Security Content

An authentication bypass vulnerability affecting VMware ESXi Active Directory integration that can allow attackers to gain unauthorized access to ESXi hosts by recreating the "ESX Admins" group in Active Directory.

Read more
splunk researchNews
Feb 25, 2026
Detection: Windows ESX Admins Group Creation Security Event | Splunk Security Content

An authentication bypass vulnerability affecting VMware ESXi Active Directory integration, where creation, deletion, or modification of the "ESX Admins" group in Active Directory may indicate exploitation activity.

Read more
+20 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware24

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-37085
NVD
nvd.nist.gov/vuln/detail/CVE-2024-37085
MITRE CWE · CWE-305
Authentication Bypass by Primary Weakness
Patch
support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24505
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37085