{
	"id": "a04f3b66-9f76-437b-b27c-008848355d0c",
	"created_at": "2026-04-06T00:15:28.276084Z",
	"updated_at": "2026-04-10T13:11:31.129373Z",
	"deleted_at": null,
	"sha1_hash": "fbfa613272d854c380cae513f5430f18b7357e5c",
	"title": "ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP Servers | Recorded Future",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49265,
	"plain_text": "ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP\r\nServers | Recorded Future\r\nBy German Hoeffner, Aaron Soehnen \u0026 Gianni Perez\r\nArchived: 2026-04-05 23:51:18 UTC\r\nAn ongoing ransomware campaign dubbed ESXiArgs is targeting outdated VMware ESXi installations. While\r\nfirst reports surfaced on Friday, February 3rd, a more significant wave infected at least 2,000 hosts over the\r\nweekend, according to BleepingComputer. An internet-wide scan reported up to 8,000 infected hosts as of this\r\nwriting.\r\nThe attack likely exploits CVE-2021-21974, a two-year-old remote code execution vulnerability in the bundled\r\nOpenSLP service, for which a patch has been available since February 2021.\r\nVMware ESXi is a Type 1 hypervisor that runs directly on host server hardware, providing a virtualization layer\r\ncapable of abstracting CPU, storage, memory, and networking resources into multiple virtual machines. OpenSLP\r\nis an open-source framework for networking applications to discover the existence, location, and configuration of\r\nservices in enterprise networks, which ESXi client applications use to resolve network addresses and hosts.\r\nAffected Systems\r\nThe following ESXi versions are affected by CVE-2021–21974:\r\nESXi 7.x prior to ESXi70U1c-17325551\r\nESXi 6.7.x prior to ESXi670-202102401-SG\r\nESXi 6.5.x prior to ESXi650-202102101-SG\r\nFor a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated\r\nport 427 needs to be reachable from the internet. According to VMware, this service is disabled by default on new\r\ninstallations since ESXi 7.0 U2c and ESXi 8.0 GA.\r\nIt should be noted that CVE-2021-21974 is not yet officially confirmed as the attack vector. The French CERT\r\nlists CVE-2020-3992 as another possibility, which is also a vulnerability of OpenSLP. While the exact\r\nvulnerability is unknown, OVHcloud, a large hoster with ESXi servers in its portfolio, confirmed that the\r\nOpenSLP service is the point of entry used in this campaign. VMware also recommends disabling OpenSLP as\r\nmitigation.\r\nFurthermore, OVHcloud blocked port 427 for all servers with ESXi installed. Besides being assigned to the\r\nOpenSLP service, this port may also be used by a backdoor script in compromised installations.\r\nMitigation and recovery\r\nhttps://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers\r\nPage 1 of 2\n\nVMware recommends updating vulnerable ESXi servers to an unaffected version if possible. As an additional\r\nmeasure, the OpenSLP service can be disabled. The procedure for this is described in this document.\r\nCurrent insights by OVH and the security community suggest that closing port 427 or restricting access to it might\r\nalso mitigate this vulnerability as a stop-gap measure.\r\nInfected systems will have the following files present in the /tmp folder, which can serve as an indicator of\r\ncompromise:\r\nencrypt\r\nencrypt .sh\r\npublic.pem\r\nThe system’s motd (message of the day) file and index.html will be replaced with a ransom note after the\r\nencryption process. The ransomware will try to stop running VMs to be able to encrypt their associated files.\r\nThe encryption algorithm has no known weaknesses that allow decrypting files without the key. But according to\r\nOVHcloud, stopping the VMs often fails, which leaves the files locked and prevents any encryption. Even if the\r\nencryption succeeds, only small chunks of the files are encrypted, which makes a recovery theoretically possible.\r\nHowever, this process is quite difficult, and security analysts are still working on the best procedures. The current\r\nprocedure is described in this blog post.\r\nAdditionally, CISA and the FBI have released an ESXiArgs Ransomware Recovery Guidance, including a specific\r\nrecovery script for this type of ransomware attack. We encourage all affected organizations to follow this recovery\r\nguidance.\r\nSummary\r\nVMware identified a new ransomware campaign targeting public-facing ESXi servers worldwide. The attackers\r\nare likely leveraging a two-year-old heap overflow vulnerability in ESXi's OpenSLP service. Patches for this\r\nvulnerability have been available, but the attack has revealed that many servers may still be vulnerable. Users\r\nshould upgrade to the latest ESXi version and restrict access to the OpenSLP service to trusted IP addresses to\r\nmitigate potential threats if patching isn’t readily available.\r\nThis content was originally published February 8, 2023 and updated February 9, 2023.\r\nSource: https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers\r\nhttps://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers"
	],
	"report_names": [
		"esxiargs-ransomware-targets-vmware-esxi-openslp-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434528,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fbfa613272d854c380cae513f5430f18b7357e5c.pdf",
		"text": "https://archive.orkl.eu/fbfa613272d854c380cae513f5430f18b7357e5c.txt",
		"img": "https://archive.orkl.eu/fbfa613272d854c380cae513f5430f18b7357e5c.jpg"
	}
}