Forgot password?

Threat Intelligence: ESXiArgs Ransomware 

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts: 

The French Computer Emergency Response Team (CERT-FR) have issued a warning that threat actors are actively targeting VMWare ESXi servers which are found to be unpatched against an RCE vulnerability, caused by a heap overflow issue in the OpenSLP service. They are then infecting systems with the ransomware “ESXiArgs”. This has been named due to the extension of the encrypted file, “.args”. 

Read more about the CVE detail here: CVE-2021-21974 

The CVSS (Common Vulnerability Scoring System) Severity Score has been rated as: 8.8 

Currently the versions of ESXi which have been targeted are those before 6.7. Less than 50 have been reported in Great Britain so far, however there have been more than 900 cases across the world and counting. The original vulnerability was reported by Trend Micro – a threat actor residing within the same network segment as ESXi, who has access to port 427, may be able to trigger the heap-overflow issue in the OpenSLP service. This could result in remote code execution.  

Vulnerable ESXi versions: 

  • 7.0 before ESXi70U1c-17325551, 
  • 6.7 before ESXi670-202102401-SG, 
  • 6.5 before ESXi650-202102101-SG 

A patch for this vulnerability has been available since the 23rd February, 2021. It is highly recommended to update to a patched version of ESXi. Systems that have been left unpatched should also be scanned to look for signs of compromise. It is also advised to disable the OpenSLP service, which has been disabled by default since 2021. 

If you discover that you’ve suffered a breach as a result of this or any other vulnerability, and need help urgently, get in contact with us. You can call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. Bookmark this page in case you ever need us.     

If you need any support in mitigating any risks this vulnerability may have on your business, please don’t hesitate to get in contact. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert


Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]