ESXi (short for Elastic Sky X Integrated) is a type-1 hypervisor developed by VMware. It is a bare-metal hypervisor that runs directly on the host machine's hardware to virtualize the operating systems, creating virtual machines (VMs) on a single physical server.

After two years (oh yes! two years) many organizations don’t have patched yet VMWare vulnerability CVE-2021-21974:

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

Many APTs and cybercriminals are abusing this vulnerability to access corporate networks and attack organizations with a ransomware campaign dubbed as ESXiArgs.

Three basic recommendations the FBI and CISA (US Cybersecurity and Infrastructure Security Agency) published in the advisory are:

• Update servers to the latest version of VMware ESXi software

• Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service (Port TCP/427)

• Ensure the ESXi hypervisor is not exposed to the public internet

Luckily in the worst case scenario, CISA published on February 7th, 2023 the tool to unencrypt the files attacked by the ESXiArgs ransomware campaign:

https://github.com/cisagov/ESXiArgs-Recover

More info:

https://www.cisa.gov/uscert/ncas/alerts/aa23-039a