Critical Alert for VMWare vSphere, ESXi Users

A post on a cybercrime forum is advertising the access to multiple VMware vCenter and ESXi servers.
Updated on
April 19, 2023
Published on
July 26, 2021
Subscribe to the latest industry news, threats and resources.
Category Adversary Intelligence
Affected Industries Multiple
Affected Region Global

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising the access to multiple VMware vCenter and ESXi servers.
  • The actor claims to have access to 1000 VMWare vCenter, ESXi server instances of companies across the globe.
  • CloudSEK Threat Intelligence Research team has been able to validate the claims mentioned in the post.


On 25 May 2021, a threat actor published a post on a dark web cybercrime forum, claiming to have gained unauthorized access to more than 1000 VMware vCenter and ESXi server instances of companies across industry verticals. This includes access to login credentials in plaintext of schools, network SDDC, gaming company, Hostinger servers, etc.  The actor claims that most companies have used default domains, making it hard to name the affected companies and that they have more than 100 active Virtual Machines running on their servers. The actor has also shared samples as proof of access. [caption id="attachment_17594" align="aligncenter" width="794"] Threat actor’s post on the cybercrime forum[/caption] The threat actor joined the forum on 24 May 2021 and is relatively new to the forum. The actor purchased premium membership and has two threads advertising vCenter Server/ESXi accesses.  


Information from HUMINT
CloudSEK’s reliable source connected with the threat actor who privately shared a list of affected entities including industries from different countries. The threat actor had also advertised these accesses publicly on the cybercrime forum but subsequently took it down. CloudSEK Threat Intelligence researchers have been able to confirm that none of the accesses advertised or shared with our reliable source are related to Indian banks.
VMWare vulnerabilities on underground forums (Update)
Highly reputed threat actors on underground forums actively looking for PoC exploits for VMware vulnerabilities including the following CVEs:
  • CVE-2020-4004: VMware ESXi vulnerability that allows attackers with local user privileges to execute code.
  • CVE-2021-21974: vulnerability in ESXi OpenSLP that leads to remote code execution
  • CVE-2020-4005: VMware ESXi vulnerability that leads to privilege escalation after chaining with other vulnerabilities.
  • CVE-2019-5544: vulnerability in ESXi OpenSLP that leads to heap overwrite.
  • CVE-2020-3992: vulnerability in ESXi OpenSLP that leads to remote code execution
 In addition, other threat actors are looking for partners to provide ESXi access.

Impact & Mitigation

Impact Mitigation
  • The actor claims to have access to plaintext login credentials, which could result in other forms of attacks targeting other hosts on the same virtual machine monitor.
  • Attackers can leverage the access to plant different types of malicious files on the host, including ransomwares.
    • Enable 2FA for login credentials, and observe password policy best practices.
    • Restrict admin access to few users with custom roles for each type of user.
    • Monitor privileges assigned to administrators.
    • Restrict the access privileges to vCenter servers and databases depending on the type of user.
    • Apply the latest patches and updates from vendors.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations