The XL Security Elephant in the Room

Usage of ESXi servers is increasingly popular for organizations with a need for effective virtualization and continuous access to their Virtual Machine (VM) management. Unfortunately, this also makes ESXi servers a prime target for cyberattacks. This has been demonstrated in recent high-profile incidents where ESXi servers have been compromised. The unique combination of hypervisor access/administration, local hosting, similarity to Linux and typical lack of security controls make this a compelling target.


ESXi is a hypervisor for virtualized environments, allowing IT administrators to configure, deploy, and manage applications. This flexibility has broad appeal to resource-constrained IT teams. However, ESXi creates a false sense of security given its deployment as an appliance. Because ESXi runs on Linux, compromising the Linux host system enables attackers to gain key advantages as the super admin of the environment. VMs can be forced to fail by over-stressing system resources and causing outages, attackers can escalate privileges directly from the host operating system (OS) into virtual machines, and simple attacks can wind up controlling the resources each virtual machine needs to operate.

Ransomware is one of the most costly and prevalent threats in the world of cybersecurity. In a ransomware attack, the threat actor will encrypt VMs as well as essential OS files, which renders the VMs corrupt and prevents their reinstatement. In many attacks against virtual resources, if good backups are in place the resources can often be returned to normal relatively quickly. This is often cited as one of the benefits of virtualization. Unfortunately, in an attack against ESXi servers and VMs, the ESXi OS itself is often also corrupted, ensuring added difficulty, downtime, and cost to the victim. These attacks can lead to significant data loss and operational disruptions.

ESXi servers are also susceptible to social engineering, password guessing and credential leaks via SSH and other authentication services. This attack surface is virtually identical to Linux systems. Leaked credentials can provide unauthorized access to the server’s command line interface, enabling malicious actors to manipulate configurations, compromise VMs, and gain control over virtual environments. To avoid this, secure SSH configurations and account management is required. Unfortunately, social engineering makes this attack surface very difficult to completely negate and leaked credentials remain one of the most prevalent malicious access methods on ESXi systems.

The abundance of vulnerabilities associated specifically with ESXi, as indicated by Common Vulnerabilities and Exposures (CVEs) such as 2023-20867, 2021-21974, 2022-31699, and 2021-21994, underscore the need for proactive security measures. Regularly patching and updating ESXi servers is essential to mitigate these vulnerabilities and ensure that the servers are fortified against potential exploits. Continuous monitoring and vulnerability assessments are critical components of an effective security strategy to identify and address emerging threats promptly.

Recent cyberattacks against large organizations utilizing hypervisors have demonstrated the severity of the risks involved. With losses exceeding $100 million in some cases, these attacks highlight the financial and reputational damage that can result from a compromised virtual infrastructure. Investing in robust cybersecurity measures, including intrusion detection systems, threat intelligence, and employee training, is imperative to defend against evolving threats and minimize the potential impact of attacks on ESXi servers. As the virtualization landscape continues to evolve, organizations must prioritize the protection of their ESXi servers to ensure the resilience of their IT infrastructure.

Vali Cyber’s ZeroLock® presents solutions to all these issues as the first-ever runtime security for hypervisors. ZeroLock for Hypervisors provides a multilayered approach to security, combining virtual patching with AI-behavioral detection, automated remediation, and more. SSH Multi-Factor Authentication virtually eliminates the SSH attack surface, and ZeroLock’s unique lockdown rules ensure that security operators will always have access to protection from emerging threats and the flexibility to create custom protection for their specific environments. ZeroLock for Hypervisors also has automated file rollback capabilities, so organizations never have to worry about the costly effects of mass encryption of corruption.

ZeroLock for Hypervisors is now available for ESXi, Nutanix, Proxmox, XenServer, Citrix Hypervisor, Red Hat Enterprise Virtualization (RHEV), and KVM. For ESXi, ZeroLock currently supports versions 6.7+, but additional versions may be supported upon request. If you are interested in learning more about ZeroLock, email Vali Cyber at [email protected].