Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts detailed a previously undetected VMware ESXi backdoor

A new Python backdoor is targeting VMware ESXi servers, allowing attackers to take over compromised systems. Juniper Networks researchers spotted a previously undocumented Python backdoor targeting VMware ESXi servers. The researchers discovered the backdoor in October 2022, experts pointed out the implant is notable for its simplicity, persistence and capabilities. The experts were not able […]

VMware Fusion Pwn2Own Berlin 2025

A new Python backdoor is targeting VMware ESXi servers, allowing attackers to take over compromised systems.

Juniper Networks researchers spotted a previously undocumented Python backdoor targeting VMware ESXi servers. The researchers discovered the backdoor in October 2022, experts pointed out the implant is notable for its simplicity, persistence and capabilities.

The experts were not able to determine the initial compromise due to limited log retention on the compromised server, they speculate attackers may have exploited known issues (i.e. CVE-2019-5544 and CVE-2020-3992) in ESXi’s OpenSLP service.

The backdoor maintain persistence by modifying some systems files such as /etc/rc.local.d/local.sh , which is executed at startup.

VMware ESXi

The following line of code launches a Python script that starts a web server. The webserver accepts password-protected POST requests from the attackers, each request can include a base-64 encoded command payload or launch a reverse shell on the host.

“While the Python script used in this attack is cross-platform and can be used with little or no modification on Linux or other UNIX-like systems, there are several indications that this attack was designed specifically to target ESXi.” reads the analysis published by Juniper. “The name of the file and its location, /store/packages/vmtools.py, was chosen to raise little suspicion on a virtualization host.”

Below is the list of files installed or modified in this attack:

  • /etc/rc.local.d/local.sh: stored in RAM, but changes are backed up and restored on reboot
  • /bin/hostd-probe.sh: changes are stored in RAM and reapplied after a reboot
  • /store/packages/vmtools.py: saved to the persistent disk stores used for VM disk images, logs, etc.
  • /etc/vmware/rhttpproxy/endpoints.conf: changes are stored in RAM and reapplied after a reboot

In order to allow access by remote attackers, they changed the configuration of the ESXi reverse HTTP proxy. The mappings from pathnames to network ports are stored in the configuration file, /etc/vmware/rhttpproxy/endpoints.conf.

The changes to the above file are persistent because it is one of the system files that are backed up and restored automatically at the reboot.

In order to determine if your installation was compromised the researchers recommend review the vmtools.py and local.sh files.

“The hashed password in vmtools.py has been redacted because it might uniquely identify the compromised server, so that file’s hash should not be used as an IOC. The modifications to hostd-probe.sh and endpoints.conf are shown in their entirety above.” concludes the report.

Experts also recommend applying all vendor patches as soon as possible, restricting incoming network connections to trusted hosts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, vmware)

[adrotate banner=”5″]

[adrotate banner=”13″]