**Name of the Vulnerable Software and Affected Versions:**

VMware ESXi versions 7.0 through 8.0

VMware Cloud Foundation (vSphere) versions LE5.2

**Description:**

VMware ESXi contains an authentication bypass vulnerability that allows malicious actors with sufficient Active Directory (AD) permissions to gain full access to an ESXi host previously configured to use AD for user management. This is achieved by recreating the configured AD group ('ESXi Admins' by default) after it has been deleted from AD. Multiple ransomware groups, including BlackByte, Akira, and Storm-0506, are actively exploiting this vulnerability. They are utilizing tools like Cobalt Strike, Pypykatz, and vulnerable drivers to steal credentials, move laterally within networks, and deploy ransomware such as Black Basta and Akira. Cisco Talos has observed the BlackByte ransomware group exploiting this vulnerability to control virtual machines. Scattered Spider hackers are also leveraging this flaw in conjunction with social engineering and custom rootkits.

**Recommendations:**

VMware ESXi versions 7.0 through 8.0: Apply the latest security updates provided by VMware to address this authentication bypass vulnerability.

VMware Cloud Foundation (vSphere) versions LE5.2: Apply the latest security updates provided by VMware to address this authentication bypass vulnerability.

Consider changing the default 'ESXi Admins' Active Directory group to mitigate the risk of unauthorized access.

Implement strong authentication measures, such as multi-factor authentication, to enhance security.

Segment your network to limit the potential impact of a successful exploit.

Monitor for suspicious activity related to the 'ESXi Admins' group and unusual ESXi activity.