Meitar Pinto

**Name of the Vulnerable Software and Affected Versions** VMware ESXi (affected versions not specified) **Description** VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by recreating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. Multiple ransomware groups, including BlackByte, Akira, and those linked to Scattered Spider and Conti, are actively exploiting this issue. Attackers are leveraging techniques such as phishing, exploiting the vulnerability to gain administrative access, and using tools like Cobalt Strike and Pypykatz. The vulnerability allows attackers to bypass authentication and gain full administrative privileges, potentially leading to the encryption of entire infrastructures. The BlackByte ransomware group is actively exploiting this flaw, and some groups are using vulnerable drivers to disable security measures. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.