Europe: Thousands of VMware ESXi servers attacked with ransomware

B2B Cyber ​​Security ShortNews

Share post

According to the BSI - Federal Office for Information Security, thousands of servers running VMware's ESXi virtualization solution were infected with ransomware and many were also encrypted in a widespread global attack.

The regional focus of the attacks on the VMware ESXi servers was on France, the USA, Germany and Canada - other countries are also affected. The perpetrators took advantage of a long-known vulnerability in the application's OpenSLP service, which triggered a "heap overflow" and ultimately allowed code to be executed remotely. There is now a tool to restore servers encrypted with ESXiArgs ransomware depending on the constellation of VMware version and patches: the ESXiArgs-Recover-Tool.


2 year old 8.8 high vulnerability

The vulnerability itself - which is listed as CVE-2021-21974 and rated "high" according to CVSS with a severity level of 8.8 - there has been a patch from the manufacturer since February 2021. The BSI had already pointed out the critical vulnerability at the time. According to the BSI, concrete statements on the impact and the extent of possible damage are not yet possible. The BSI is analyzing this IT security incident intensively and is in contact with its international partners.

Italian companies in particular were hit hard by the attack at the weekend. According to various media, Telekom Italia TIM should also be affected by the attack. In some cases, internet performance across the country would have collapsed for a short time. But other countries and many companies continue to have problems. As early as 2021 there were exploits looking for the gap in ESXi servers and running malware.

Already more than 1.900 infected ESXi servers

The update comes too late for many administrators, as their VMware ESXi servers are already encrypted by ransomware. Companies that still have this vulnerability and have not yet been discovered should patch the servers immediately. According to Check Point, more than 1.900 ESXi servers have already been infected, with most of the victims reportedly coming from OVH and Hetzner Service Providers. Also CERT, the French cybersecurity authority, has already issued a warning to all companies and server operators. The security instructions for patching the vulnerability and the description of the vulnerable systems are available from VMware

Learn more about the server update at


Matching articles on the topic

Ransomware: Hochschule HAW continues to clean up 

At the beginning of the year, the HAW – the Hamburg University of Applied Sciences – had major problems because the educational institution from ➡ Read more

Accelerated cybercrime with ChatGPT4

Security researchers reveal various scenarios that allow hackers to improve their malicious efforts and preparations, resulting in faster and more accurate ones ➡ Read more

VOIP/PBX software 3CX abused for sideloading attack

A trojanized version of the popular phone system VOIP/PBX software 3CX is currently making headlines. The business phone system is used by companies in 190 ➡ Read more

Cyber ​​attack on Helmholtz Zentrum München

As early as March 15, the Helmholtz Zentrum München could no longer be reached. A cyber attack paralyzed everything. ➡ Read more

Security: BSI handbook for company management

The BSI distributes the new international manual "Management of Cyber ​​Risks" for company management. The one with the Internet Security Alliance ➡ Read more

Ransomware: Attack on Schweizer Medienverlag and NZZ

The Neue Züricher Zeitung - NZZ reported an attack on their network a few days ago and was therefore unable to ➡ Read more

Chinese cyber attackers target zero-day vulnerabilities

Found zero-day vulnerabilities are often exploited by individual APT groups. According to Mandiant, Chinese cyberattackers are targeting more and more zero-day vulnerabilities. The report proves it ➡ Read more

Cloud bursting vulnerability

As an application delivery technique, cloud bursting enables the best of both worlds to be combined. On the one hand, it enables ➡ Read more