Wiz: 12 Percent Of VMware ESXi Servers Need Patching For Widely Exploited Vulnerability

Thousands of servers running older versions of the VMware hypervisor are vulnerable to attacks by the ‘ESXiArgs’ ransomware, according to researchers.


Cybersecurity firm Wiz disclosed research on Tuesday showing that more than one in 10 servers running the VMware ESXi hypervisor are unpatched against a two-year-old vulnerability that is now being exploited in a widespread ransomware attack.

In a blog post, Wiz said that its data shows that 12 percent of VMware ESXi servers remain unpatched against the flaw, and are therefore still vulnerable to an attack from the “ESXiArgs” ransomware.

[Related: Patching Urged For ‘Critical’ VMware vRealize Vulnerabilities]

Sponsored post

“Attacks utilizing this vulnerability to install ransomware have been discovered worldwide, though mostly in Europe,” Wiz said in the post.

The targets are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, “which are accessible through the OpenSLP port 427.” The vulnerability — first disclosed in 2021 and tracked at CVE-2021-21974 — specifically affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.

The ESXiArgs ransomware campaign has struck thousands of VMware ESXi servers over the past few days, researchers have disclosed.

Data from cybersecurity firm Censys, which was initially reported by Bleeping Computer, shows that 308 servers in the U.S. and 211 servers in Canada are currently impacted by the ransomware. That’s down from 362 U.S. servers and 240 Canadian servers as of Monday evening.

The U.S. and Canada continue to rank second and fourth, respectively, in terms of the countries hardest hit by the ESXiArgs ransomware campaign.

VMware noted that there’s a correlation between the cyberattacks and servers that are either at end-of-support or “significantly out-of-date.”

The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said.

The company said Monday that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks,” the company said.