The XL Security Elephant in the Room

Usage of ESXi servers is increasingly popular for organizations with a need for effective virtualization and continuous access to their Virtual Machine (VM) management. Unfortunately, this also makes ESXi servers a prime target for cyberattacks. This has been demonstrated in recent high-profile incidents where ESXi servers have been compromised. The unique combination of hypervisor access/administration, local hosting, similarity to Linux and typical lack of security controls make this a compelling target.


ESXi is a hypervisor for virtualized environments, allowing IT administrators to configure, deploy, and manage applications. This flexibility has broad appeal to resource-constrained IT teams. However, ESXi creates a false sense of security given its deployment as an appliance. Because ESXi runs on Linux, compromising the Linux host system enables attackers to gain key advantages as the super admin of the environment. VMs can be forced to fail by over-stressing system resources and causing outages, attackers can escalate privileges directly from the host OS into virtual machines, and simple attacks can wind up controlling the resources each virtual machine needs to operate.

Ransomware is one of the most costly and prevalent threats in the world of cyber security. In a ransomware attack, the threat actor will encrypt VM’s as well as essential Operating System files rendering VMs corrupt and preventing their reinstatement. IN many attacks against virtual resources, if good backups are in place the resources can often be returned to normal relatively quickly. This is often cited as one of the benefits of virtualization. Unfortunately, in an attack against ESXi servers and VMs, the ESXi OS itself is often also corrupted, ensuring added difficulty, downtime and cost to the victim. These attacks, lead to significant data loss and operational disruptions.

ESXi servers are also susceptible to social engineering, password guessing and credential leaks via SSH and other authentication services. This attack surface is virtually identical to Linux systems. Leaked credentials can provide unauthorized access to the server’s command line interface, enabling malicious actors to manipulate configurations, compromise VMs, and gain control over virtual environments. To avoid this, secure SSH configurations and account management is required. Unfortunately, social engineering makes this attack surface very difficult to completely negate and leaked credentials remain one of the most prevalent malicious access methods on Linux and ESXi systems.

The abundance of vulnerabilities associated specifically with ESXi, as indicated by Common Vulnerabilities and Exposures (CVEs) such as 2023-20867, 2021-21974, 2022-31699, and 2021-21994, underscore the need for proactive security measures. Regularly patching and updating ESXi servers is essential to mitigate these vulnerabilities and ensure that the servers are fortified against potential exploits. Continuous monitoring and vulnerability assessments are critical components of an effective security strategy to identify and address emerging threats promptly.

Recent cyberattacks against large organizations utilizing ESXi servers have demonstrated the severity of the risks involved. With losses exceeding $100 million in some cases, these attacks highlight the financial and reputational damage that can result from a compromised virtual infrastructure. Investing in robust cybersecurity measures, including intrusion detection systems, threat intelligence, and employee training, is imperative to defend against evolving threats and minimize the potential impact of attacks on ESXi servers. As the virtualization landscape continues to evolve, organizations must prioritize the protection of their ESXi servers to ensure the resilience of their IT infrastructure.

Vali Cyber’s ZeroLock™ for ESXi presents solutions to all these issues, where currently no viable solution otherwise exists. ZeroLock for ESXi provides the same AI-based detection for ransomware as ZeroLock for Linux. SSH Multi-Factor Authentication virtually eliminates the SSH attack surface. Lockdown rules on ZeroLock ensure that security operators will always have access to protection from emerging threats and the flexibility to create custom protection for their specific environments. ZeroLock will also include all the same automated file rollback capabilities as ZeroLock for Linux, so organizations never have to worry about the costly effects of mass encryption of corruption.

Vali Cyber is currently working on our Early Access Program for ZeroLock for ESXi. Participants must have 1+ non-production systems running ESXi 6.7+. If you are interested in participating or would like to learn more about ZeroLock for ESXi, email Vali Cyber at info@valicyber.com.