Skip to content
Untitled design-Aug-24-2022-05-27-40-17-PM
Christoph HartmannFebruary 7, 20232 min read

Protect Your VMware ESXi Servers from ESXiArgs Ransomware with CVE-2021-21974 Patch

Mondoo_graphics_Assess if your VMware ESXi server-01-1

VMware ESXi servers have been targeted by a new ransomware called ESXiArgs. The attackers are exploiting a two-year-old vulnerability, CVE-2021-21974, in the OpenSLP service. The vulnerability is caused by a heap overflow issue and can be exploited by unauthenticated actors. ESXi servers in versions 6.x and prior to 6.7 are the current target. VMware confirmed that this attack exploits older ESXi flaws and not a zero-day vulnerability.

The French Computer Emergency Response Team (CERT-FR) recommends applying the patch and disabling the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't been updated.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

It is also advised to scan unpatched systems for signs of compromise. 

According to a Censys search, 2,400 VMware ESXi devices worldwide are currently detected as compromised. The ransomware encrypts files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and creates .args files for each encrypted document. 

BleepingComputer shared the technical details for the attack. In case you have been attacked, security researcher Enes Sonmez enes_dev has shared a VMware ESXi recovery guide, allowing many admins to rebuild their virtual machines and recover their data for free.

Validate if you are affected

Quickly install our open source tool cnspec:

bash -c "$(curl -sSL"

Verify that slpd is not running

We quickly connect to the ESXi via vSphere API and select the ESXi server:

cnspec shell vsphere user@domain.local@vsphere-ip --ask-pass

To verify, we simply enter the following MQL query: == "slpd" && running == true)

Validate that all patches have been installed

To get access to the vulnerability database quickly login to the Mondoo Platform. Then use cnspec to quickly assess the missing patched for your ESXi Server:

cnspec vuln vsphere user@domain.local@vsphere-ip --ask-pass

Continuously assess VMware vCenter Server

The Mondoo Platform has full coverage for vCenter Server via the deployment in Minutes with our vCenter appliance, vCenter and ESXi Vulnerability Management as well as CIS VMware ESXi 7.0 Benchmark. 

Don't let ESXiArgs ransomware attack your VMware ESXi servers! Take proactive measures and secure your systems with the power of Mondoo. Sign up for a free account today to easily validate your systems and continuously assess vulnerabilities with the latest security updates. Or book a demo with us to see how Mondoo can revolutionize your cybersecurity strategy. Don't wait until it's too late, protect your systems now with Mondoo.


Christoph Hartmann

Christoph Hartmann, co-founder and CTO at Mondoo, wants to make the world more secure. He’s long been a leader in security engineering and DevOps, creating widely adopted solutions like and InSpec. For fun, he builds everything from custom operating systems to autonomous Lego Mindstorm robots.


view raw