How to Detect VMware ESXi Exploitation
How to Detect VMware ESXi Exploitation
VMware ESXi hypervisors are high-value targets for attackers because they host entire virtual infrastructures. A successful compromise can give an adversary control over many critical systems at once. These servers contain valuable data, are unfortunately frequently exposed to the Internet, and are often not covered by traditional EDR, making them very attractive for ransomware and espionage. (One ransomware campaign noted that compromising a single ESXi host allowed attackers to encrypt all contained VMs in one go.)
SOC teams must therefore monitor ESXi-specific activity closely. This includes understanding how attackers gain ESXi credentials, what vulnerabilities they exploit, and what behaviors they display post-compromise – and then putting in place logging, alerts, and deception to catch those behaviors.
How Attackers Obtain ESXi Credentials
Most attacks on ESXi don’t start on the hypervisor itself, but from inside the network. Attackers typically first gain a foothold via phishing or other means, then steal or abuse admin credentials that also work for vSphere/ESXi. For example, the Scattered Spider (UNC3944) gang recently exfiltrated an Active Directory NTDS.dit database from a retailer’s network in early 2025. They cracked the domain hashes offline and moved laterally across the environment, accessing high-value assets including VMware ESXi hosts. In other words, they harvested domain-admin creds which let them log into vCenter/ESXi.
Similarly, Chinese cyber-espionage group UNC3886 has targeted VMware infrastructure. Mandiant found that UNC3886 infiltrated a vCenter Server (often via an earlier breach or phishing) and dumped the internal database to extract the built-in vpxuser service-account password for every ESXi host managed by that vCenter. With those credentials, the attackers could connect to each ESXi host, push out malware (via VIB packages), and laterally traverse to other hosts.
In many other cases, attackers simply buy or guess valid ESXi credentials. A survey of ESXi ransomware incidents found that adversaries often obtain access by buying credentials from initial-access brokers or by scanning the Internet (e.g. via Shodan) for exposed ESXi hosts, then exploiting known flaws. Weak or reused passwords for ESXi/vCenter logins are a common entry point. In short, SOC analysts should assume that any compromise of corporate domain or vCenter credentials could give an attacker ESXi login.
Example: In one campaign, attackers used Cobalt Strike and Mimikatz on domain controllers, then created a new domain account in an “ESX Admins” group. This later triggered a VMware vulnerability (see below) but it began with insider credentials.
Common ESXi Vulnerabilities and Exploits
Once inside the network, adversaries exploit ESXi-specific flaws to break into hypervisors directly. Several high-profile vulnerabilities have been weaponized:
- CVE-2021-21974 (ESXi OpenSLP RCE) – An unauthenticated heap overflow in the Service Location Protocol (SLP). Since late 2022 it has been widely exploited by ransomware gangs (e.g. BlackBasta, ALPHV, Cl0p). Campaigns in early 2023 continued exploiting CVE-2021-21974 after first gaining a foothold via phishing.
- CVE-2024-37085 (ESXi Domain-Join Bypass) – Disclosed in mid-2024. ESXi trusts any AD group named “ESX Admins”, granting it full hypervisor rights. Creating that group and adding an attacker account instantly yields admin access. Patched in July 2024 but seen in the wild.
- CVE-2023-20867 (VMware Tools GuestOps RCE) – Allows an attacker with ESXi admin (or vpxuser) rights to execute code inside any VM without guest credentials. Used by UNC3886 in 2023 to perform stealthy host-to-guest operations invisible in guest logs.
- Other VMware flaws – Adversaries have chained issues such as CVE-2023-34048 (vCenter RCE) and CVE-2022-22954/22960 (Workspace One template injection) to gain root or lateral movement.
These exploits let attackers run arbitrary commands on ESXi.
Post-Exploitation Activity (Ransomware & Beyond)
Once an ESXi host is compromised, common firsts post-exploitation steps are to disable backup/log services, install backdoor VIBs, and then launch ransomware. Mandiant observed UNC3886 installing malicious VIBs as persistent backdoors, then restomping timestamps to hide them. Attackers often encrypt all hosted VMs. Ransomware strains like ESXiArgs and DragonForce operate entirely at the hypervisor level. In a recent UK retail breach, Scattered Spider deployed DragonForce to 24 ESXi hosts, halting operations. Other ransomware such as Royal and Cl0p have similar ESXi variants.
Beyond encryption, attackers may install custom backdoors. UNC3886 pushed VIB-based implants (VIRTUALPITA and VIRTUALPIE) that survive reboots and listen on TCP or VMCI. Some actors timestomp ESXi logs, disable monitoring, migrate VMs, or use APIs to exfiltrate VM contents—all strong indicators of compromise.
Example: After gaining admin rights, UNC3886 timestomped vmkwarning.log and disabled guest logging before executing CVE-2023-20867, leaving minimal forensic trace.
Some Detection Strategies
- Centralize ESXi logs. Export hostd.log, auth.log, vmkernel.log, and vCenter tasks to your SIEM; grep for “unauthorized access”.
- Alert on suspicious logins. Any SSH success on ESXi or root login at odd hours should alarm; watch failed-login spikes.
- Monitor AD/vCenter events. Alert on creation/modification of “ESX Admins” in AD, new vCenter users/groups, or mass firewall-rule pushes.
- Ransomware behaviors. Look for vmsyslogd stopping, bulk VM power-offs, and datastore-file changes.
- Deception and decoys. Stand-up honeypot ESXi hosts with fake creds; any login to a decoy is a clear signal.
- Regular scanning and patching. Apply ESXi updates promptly; if you can’t, isolate hosts or disable risky services like SLP and SSH.
