Skip to main content
  1. posts/

Are Your (old) ESXi Hosts Publicly Available? — They won't be for long.

·261 words·2 mins·
Christian Mohn
vCenter VMware ESXi
Author
Christian Mohn
IT veteran, podcaster, author, and blogger from Bergen, Norway.

Back in February 2021, I published a post named Is Your VMware vCenter Publicly Available?.

It is February 2023, and here we are again. A new widespread ransomware attack dubbed ESXiArgs is targeting publicly available ESXi hosts, using a vulnerability that was patched two years ago (CVE-2021-21947) .

For details, see Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide.

You really don’t want to wake up some day and see that your ESXi HTML Client has been replaced by a static web page, showing you how to pay the ransom…

For now it seems to be contained to publicly available ESXi hosts, but remember, the same tecnique and vulnarability is also available on the inside of your perimiter firewall, so any internal client that can access your hosts could potentially be an attacker as well.

Lessons to be learned here?
#

  1. Don’t expose vCenter or ESXi hosts to the internet. No exceptions (except Honeypots of course)
  2. Ensure admin access (vCenter, ESXi and other management interfaces/APIs) is limited to clients that need it and is properly secured (think Zero Trust, MultiFactor Authentication etc.)
  3. Patch your stuff.

To quote myself from two years ago:

To be blunt; there is simply no valid reason why your VMware vCenter, or ESXi hosts, should be available over the internet, none what so ever. In fact, it shouldn’t even be available from non-admin clients in your local network, let alone via the internet. If that is the case in your environment, odds are that there are probably other big issues present in your infrastructure as well.

Related

VMware Update Manager: Unsupported Configuration
·345 words·2 mins
Christian Mohn
VMware ESXi NFS Upgrade vCenter Veeam Backup & Replication VMware
ESXi5.5 to 6.0 Upgrade From Local HTTP Daemon
·537 words·3 mins
Christian Mohn
VMware ESXi vCenter VMware vSphere
Root Cause of Invalid memory setting: memory reservation (sched.mem.min) should be equal to memsize (memsize)
·378 words·2 mins
Christian Mohn
VMware 5.5 ESXi Latency Sensitivity Troubleshooting vCenter VM VMware