HV-VCENTER-RCEInitial Access

vCenter Server RCE

Repeating vCenter CVEs (CVE-2021-21972 vSAN, CVE-2024-37079 DCERPC heap) — pre-auth path to root, then full hypervisor estate.

§ Where this technique fits

HV-VCENTER-RCE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

vCenter pre-auth RCE → root on every ESXi → mass encrypt
Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.
step 2 / 6

§ What commonly comes next

01
Hypervisor Credential Caches
HV-NESTED-CRED · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

vCenter pre-auth RCE → root on every ESXi → mass encrypt

§ What commonly comes next