What starting position does this attack require?

The first step is Drop encryptor bash script (T1486) — a impact primitive. Assumed environment: target left ESXi management ports reachable from the public internet.

What is the final impact of this kill-chain?

The final step lands on Mass-encrypt .vmdk in /vmfs/volumes (HV-ESXI-RANSOM), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

ESXiArgs — OpenSLP unauth RCE → ransomware

Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Drop encryptor bash script

T1486 · Data Encrypted for Impact

Impact

Ransom note in vSphere login screen

T1490 · Inhibit System Recovery

Execution

Root shell on ESXi

T1059 · Command and Scripting Interpreter

Reconnaissance

Shodan: port:427 vmware:esxi

W-RECON-API-DISCO · API Endpoint Discovery

Initial Access

OpenSLP heap overflow

HV-ESXI-SLP · ESXi OpenSLP Unauth RCE (CVE-2021-21974)

Impact

Mass-encrypt .vmdk in /vmfs/volumes

HV-ESXI-RANSOM · ESXi Mass-Encrypt Ransomware

§ Context

Assumed environment: target left ESXi management ports reachable from the public internet. CVE-2021-21974 not patched (very common on legacy / unmanaged ESXi).

§ Steps

01
Drop encryptor bash scriptImpact
T1486— Data Encrypted for Impact
02
Ransom note in vSphere login screenImpact
T1490— Inhibit System Recovery
03
Root shell on ESXiExecution
T1059— Command and Scripting Interpreter
04
Shodan: port:427 vmware:esxiReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
05
OpenSLP heap overflowInitial Access
HV-ESXI-SLP— ESXi OpenSLP Unauth RCE (CVE-2021-21974)
06
Mass-encrypt .vmdk in /vmfs/volumesImpact
HV-ESXI-RANSOM— ESXi Mass-Encrypt Ransomware

§ References

§ Frequently asked

What is the "ESXiArgs — OpenSLP unauth RCE → ransomware" attack path?: Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Drop encryptor bash script (T1486) — a impact primitive. Assumed environment: target left ESXi management ports reachable from the public internet.
What is the final impact of this kill-chain?: The final step lands on Mass-encrypt .vmdk in /vmfs/volumes (HV-ESXI-RANSOM), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ESXiArgs — OpenSLP unauth RCE → ransomware

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

vCenter pre-auth RCE → root on every ESXi → mass encrypt

Open MongoDB → dump every collection