Large-scale ransomware campaign exploiting VMware ESXi vulnerabilities to encrypt virtual machines and disrupt business operations. Attackers leverage CVE-2021-21974 to compromise unpatched systems globally.
A significant ransomware campaign dubbed 'ESXiArgs' is actively targeting VMware ESXi hypervisors worldwide, primarily exploiting CVE-2021-21974, a two-year-old heap overflow vulnerability in the OpenSLP service. The attack has impacted thousands of servers across multiple countries, with particularly high concentrations in France, Germany, and North America. The ransomware specifically targets ESXi virtual machines, encrypting VM files (including .vmdk, .vmx, .vmxf, and .nvram) and effectively disrupting organizations' virtualized infrastructure. The campaign demonstrates sophisticated targeting of enterprise virtualization platforms, potentially causing widespread business disruption due to the critical nature of affected systems.
A widespread ransomware campaign is actively targeting VMware ESXi hypervisors, exploiting known vulnerabilities to encrypt virtual machines and associated files. The attack, identified as 'ESXiArgs,' has affected thousands of servers globally, with significant impact on critical business operations.
The primary attack vector is CVE-2021-21974, a heap overflow vulnerability in the OpenSLP service of ESXi that allows for remote code execution. This vulnerability affects ESXi versions 6.5, 6.7, and 7.0.
The ransomware specifically targets files essential to virtual machine operations:
The encryption process utilizes a combination of symmetric and asymmetric encryption, making recovery without the decryption key extremely difficult. The ransomware also attempts to stop virtual machines before encryption and removes VM snapshots to prevent easy recovery.
Immediate actions required:
A recent hack of an implantable orthopedic device maker has significant implications for the healthcare and medical device sectors. The breach highlights the vulnerability of connected medical devices to cyber threats. As of April 1, 2026, the incident is under investigation.
A critical out-of-bounds read vulnerability in Citrix NetScaler systems poses significant risks to enterprise infrastructure. The vulnerability affects ADC and Gateway appliances, potentially enabling unauthorized access and system compromise.
A critical vulnerability (CVE-2026-25645) has been identified in the Python Requests library's extract_zipped_paths() utility function, enabling potential arbitrary file writes through insecure temporary file handling. This vulnerability affects applications using the Requests library for handling zipped file paths.
A severe denial-of-service vulnerability has been discovered in the widely-used python-ecdsa cryptographic library. The flaw allows attackers to crash applications by exploiting improper DER length validation in crafted private keys.