Europe: Thousands of VMware ESXi servers attacked with ransomware

B2B Cyber ​​Security ShortNews

Share post

According to the BSI - Federal Office for Information Security, thousands of servers running VMware's ESXi virtualization solution were infected with ransomware and many were also encrypted in a widespread global attack.

The regional focus of the attacks on the VMware ESXi servers was on France, the USA, Germany and Canada - other countries are also affected. The perpetrators took advantage of a long-known vulnerability in the application's OpenSLP service, which triggered a "heap overflow" and ultimately allowed code to be executed remotely. There is now a tool to restore servers encrypted with ESXiArgs ransomware depending on the constellation of VMware version and patches: the ESXiArgs-Recover-Tool.


2 year old 8.8 high vulnerability

The vulnerability itself - which is listed as CVE-2021-21974 and rated "high" according to CVSS with a severity level of 8.8 - there has been a patch from the manufacturer since February 2021. The BSI had already pointed out the critical vulnerability at the time. According to the BSI, concrete statements on the impact and the extent of possible damage are not yet possible. The BSI is analyzing this IT security incident intensively and is in contact with its international partners.

Italian companies in particular were hit hard by the attack at the weekend. According to various media, Telekom Italia TIM should also be affected by the attack. In some cases, internet performance across the country would have collapsed for a short time. But other countries and many companies continue to have problems. As early as 2021 there were exploits looking for the gap in ESXi servers and running malware.


Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month

By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy Policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.


This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at:

Data processing

We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

Already more than 1.900 infected ESXi servers

The update comes too late for many administrators, as their VMware ESXi servers are already encrypted by ransomware. Companies that still have this vulnerability and have not yet been discovered should patch the servers immediately. According to Check Point, more than 1.900 ESXi servers have already been infected, with most of the victims reportedly coming from OVH and Hetzner Service Providers. Also CERT, the French cybersecurity authority, has already issued a warning to all companies and server operators. The security instructions for patching the vulnerability and the description of the vulnerable systems are available from VMware

Learn more about the server update at


Matching articles on the topic

SAP patches close serious security gaps

On its patch day, SAP published a list of 19 new security gaps and related updates. This is also necessary, because ➡ Read more

Lazarus: New backdoor against targets in Europe 

The APT group Lazarus, known for many attacks, is also using a new backdoor malware against targets in Europe. The purposes ➡ Read more

Critical vulnerabilities in Lexmark printers

The manufacturer of corporate printers Lexmark has once again warned its users of critical vulnerabilities. In dozens of his models are in the ➡ Read more

Ransomware: HardBit 2.0 asks for cyber insurance

The HardBit 2.0 ransomware group asks the company for cyber insurance information after a successful attack. That's how the group wants theirs ➡ Read more

ALPHV claims to have hacked camera manufacturer Ring

In addition to many private users, the provider Ring also supplies small companies with cameras, surveillance systems and video doorbells. Now you can find it ➡ Read more

BSI warns: exploitation of a vulnerability in MS Outlook

The BSI warns of a vulnerability in Outlook that is apparently already being actively exploited. The CVSS score of the vulnerability is enclosed ➡ Read more

Backdoor: Chinese hacker group attacks Europe

The Chinese hacker group Mustang Panda is stepping up its attacks on targets in Europe, Australia and Taiwan. Researchers from the IT security manufacturer ESET covered ➡ Read more

Improved security solution for Mac computers

The IT security manufacturer ESET has presented its latest version of ESET Cyber ​​Security for macOS. The security solution for Mac computers has numerous ➡ Read more