Critical Alert for VMWare vSphere, ESXi Users

Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising the access to multiple VMware vCenter and ESXi servers.
  • The actor claims to have access to 1000 VMWare vCenter, ESXi server instances of companies across the globe.
  • CloudSEK Threat Intelligence Research team has been able to validate the claims mentioned in the post.


On 25 May 2021, a threat actor published a post on a dark web cybercrime forum, claiming to have gained unauthorized access to more than 1000 VMware vCenter and ESXi server instances of companies across industry verticals. This includes access to login credentials in plaintext of schools, network SDDC, gaming company, Hostinger servers, etc. The actor claims that most companies have used default domains, making it hard to name the affected companies and that they have more than 100 active Virtual Machines running on their servers. The actor has also shared samples as proof of access.

Threat actor’s post on the cybercrime forum

The threat actor joined the forum on 24 May 2021 and is relatively new to the forum. The actor purchased premium membership and has two threads advertising vCenter Server/ESXi accesses.


Information from HUMINT

CloudSEK’s reliable source connected with the threat actor who privately shared a list of affected entities including industries from different countries. The threat actor had also advertised these accesses publicly on the cybercrime forum but subsequently took it down. CloudSEK Threat Intelligence researchers have been able to confirm that none of the accesses advertised or shared with our reliable source are related to Indian banks.

VMWare vulnerabilities on underground forums (Update)

Highly reputed threat actors on underground forums actively looking for PoC exploits for VMware vulnerabilities including the following CVEs:

  • CVE-2020-4004: VMware ESXi vulnerability that allows attackers with local user privileges to execute code.
  • CVE-2021-21974: vulnerability in ESXi OpenSLP that leads to remote code execution
  • CVE-2020-4005: VMware ESXi vulnerability that leads to privilege escalation after chaining with other vulnerabilities.
  • CVE-2019-5544: vulnerability in ESXi OpenSLP that leads to heap overwrite.
  • CVE-2020-3992: vulnerability in ESXi OpenSLP that leads to remote code execution

In addition, other threat actors are looking for partners to provide ESXi access.

Impact & Mitigation


1 Like