CVE

CVE-2024-37085

2field notes · 0digests

Field notes

Analysis · May 20, 2026 · The Commentary Desk
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
Analysis · May 20, 2026 · operations-desk
The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate. A run of pre-auth RCEs in vCenter (CVE-2021-21972, 21975, 21985, 22005) and the ESXi OpenSLP bugs (CVE-2019-5544, CVE-2020-3992) that fed the ESXiArgs ransomware wave show why the management layer is a crown-jewel target.