Over the weekend, ESXiArgs ransomware hit VMware servers and encrypted thousands of unpatched internet exposed ESXi systems. Threat actors are actively exploiting a two-year old remote code execution vulnerability (CVE-2021-21974), allowing them to execute remote commands on unpatched VMware ESXi servers via their OpenSLP service (port 427).  

CVE-2021-21974 was patched in February 2021, but there are current attack campaigns going after unpatched systems. Once the threat actor gains access, the vulnerability allows them to encrypt files on the ESXi server and leave a ransom note. The ransomware note asks for $50,000 bitcoin for decryption. Current impacted systems are ESXi hypervisors in version 7.0 U3i and prior.  

More than 3,200 servers are encrypted, and more than a third of those servers are hosted in France. Security researcher Kevin Beaumont stated that many cloud providers offer managed VMware hosting, yet they have not been patching, leaving all ports open to the internet on management IPs.  

Organizations running VMware are advised to patch ESXi servers and upgrade to an unaffected version, such as v8, or disable the OpenSLP service immediately. VMware’s advisory states that the possibility of exploitation of CVE-2021-21974 can be removed by performing the steps detailed in the resolution section of their advisory.  



avertium's recommendations

As previously stated, Avertium advises to patch to ESXi servers and upgrade to an unaffected version, such as v8. You may find guidance here 

CVE-2021-21974 impacts the following systems:  

  • ESXi versions 7.x prior to ESXi70U1c-17325551 
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG 
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG 




At this time, there are no known IoCs associated with CVE-2021-21974. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.  



How Avertium is Protecting Our CUSTOMERS

  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement. 
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.  




How to Disable/Enable the SLP Service on VMware ESXi (76372) 

Risky Biz News: Ransomware wave hits thousands of VMWare ESXi servers (substack.com) 

Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide (bleepingcomputer.com) 




Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals

Chat With One of Our Experts

VMWare ESXI vulnerability VMWare vulnerability RCE Remote Code Execution (RCE) vulnerabilities Flash Notice VMware Blog