Security Intelligence
Loading table of contents...
Several researchers are warning that over 41,000 instances of VMware software exposed to the internet may be vulnerable to at least one of three recently discovered vulnerabilities.
The flaws, collectively named ‘ESXicape’, can be chained together by a threat actor with administrative or root-level privileges to escape the virtual machine (VM) operating system and access the underlying hypervisor. Once inside, threat actors can use this access to bypass security products and gain access to valuable assets such as Active Directory domain controller databases and stored data without triggering alerts.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
A security researcher also revealed that an unnamed hacker recently offered to sell an ESXi VM escape exploit for $150,000. It’s unconfirmed whether this exploit was related to ESXicape, or even a legitimate exploit.
Other researchers have pointed out that there doesn’t appear to be a proof-of-concept (PoC) exploit for ESXicape publicly available, which should provide affected users with more time to patch their systems.
Source: SecurityWeek
Analysis
Given that VMware solutions are widely used, it’s unsurprising that so many vulnerable instances are exposed to the internet. However, it’s vital that these numbers decrease as quickly as possible to shrink the window of opportunity threat actors have to target vulnerable instances before they are patched.
While PoC exploit code may not publicly exist now, that is likely to change soon as threat actors and researchers alike reverse engineer the patches for the ESXicape vulnerabilities. Thus, impacted users must apply the necessary updates as soon as possible.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats targeting virtual environments. Field Effect MDR users were automatically notified if a vulnerable version of VMware was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages organizations to apply the necessary patches in accordance with Broadcom’s advisory as soon as possible to mitigate the risks associated with these vulnerabilities.
Additionally, Field Effect recommends organizations that run virtualized environments consider the following proactive steps to protect themselves from VM escape threats and hypervisor compromises:
- Apply security patches promptly – Security patches should be applied as soon as possible to mitigate zero-day vulnerabilities before threat actors can exploit them.
- Implement network segmentation – Limiting network access between VMs, hypervisors, and external systems reduces the impact of an attack. Firewalls and VLANs can help isolate critical workloads.
- Restrict administrative access – Implement the principle of least privilege (PoLP) by ensuring only authorized users can manage virtualized infrastructure. Use role-based access controls (RBAC) and disable unnecessary administrative accounts.
- Enable security hardening features – Organizations should harden hypervisor settings according to VMware’s best practices. For example, VMware offers built-in security configurations such as VM escape protections, secure boot, and virtual TPMs.
- Monitor for anomalous activity – Deploy cybersecurity solutions capable of identifying irregular and suspicious activity, such as unexpected hypervisor modifications or unauthorized VM-to-host interactions.
- Implement strong authentication – Require multi-factor authentication (MFA) for access to VMware environments to prevent unauthorized access due to credential theft.
- Regularly audit and test virtual environments – Conduct penetration tests and vulnerability assessments to identify weaknesses that could lead to VM escape or hypervisor compromise.
