BSI warns of many vulnerable VMware ESXi servers in the network

The CERT-Bund of the Federal Office for Information Security is investigating the German part of the internet for vulnerable services. Last week, this involved around 2500 vulnerable VMware ESXi instances whose management interfaces were openly accessible from the internet.

This was reported by Germany's top IT security authority on the social network Mastodon. "CERT-Bund is currently aware of around 2,500 VMware ESXi server management interfaces in Germany that are openly accessible from the internet," the BSI writes there. It further adds: "These should generally not be exposed to the internet."

According to the scan analysis, 60 percent of the servers are running outdated versions that no longer receive support from the manufacturer. "A further 31% are running a current version but with an outdated patch level" – making them vulnerable to cyberattacks.

Sisyphus work of the BSI

"CERT-Bund has been notifying German network operators about affected systems in their networks for two years," the authors of the report further explain. Apparently, this is a never-ending task, which was also noticed with other vulnerable servers. For example, a magnitude higher number of vulnerable Exchange servers are openly accessible on the network and thus exposed to attackers. The BSI saw more than 30,000 in Germany alone at the end of October last year.

The number of vulnerable Zimbra servers accessible online, with around 600 unsupported versions and more than 150 others vulnerable to current, critical vulnerabilities, seems comparatively small in mid-January 2026.

Updated versions are available for the vulnerable software versions, which close the security vulnerabilities. Apparently, administrators in German organizations are still significantly lagging behind with updates to a large extent.

(dmk)