VMware ESXi automatically assumes that any user in an associated Active Directory group called “ESX Admins” is effectively an administrator, even if a hacker creates that group themselves.

Microsoft researchers have discovered a large and actively exploited vulnerability in the VMware ESXi hypervisor. This allows attackers to make themselves and other users administrators. The attack is part of a chain in which the hackers already have access to an IT environment, more specifically Active Directory. If AD is linked to the VMware environment, they can easily switch to it with maximum privileges.

It is enough to create a new group in AD called “ESX Admins”. ESXi automatically treats every user in this group as an administrator. Attackers can create the group at any time, once it is set up, ESXi grants administrator rights.

High rights

The potential damage is great. ESXi is a bare-metal hypervisor. Anyone with administrator access can delete or encrypt virtual machines at will. Everything that runs on the hypervisor is vulnerable.

The vulnerability is severe and easy to exploit, but VMware still only gives it a CVSS rating of 6.8. This is an analysis that independent experts dispute, not least because attackers are actively exploiting the flaw today.

Microsoft recommends that administrators take immediate action to ensure the flaw cannot be exploited. As always, it is important to install the correct patches. Broadcom would not plan an update for ESXi 7.