HV-ESXI-SLPInitial Access

ESXi OpenSLP Unauth RCE (CVE-2021-21974)

ESXi SLP service pre-auth heap-overflow → root on the host — the bug behind the ESXiArgs ransomware wave.

§ Where this technique fits

HV-ESXI-SLP is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ESXiArgs — OpenSLP unauth RCE → ransomware
Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.
step 2 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ESXiArgs — OpenSLP unauth RCE → ransomware

§ What commonly comes next