How to remediate – VMware ESX / ESXi Web-Based Datastore Browser Default Credentials

1. Introduction

The VMware ESX / ESXi Web-Based Datastore Browser Default Credentials vulnerability means that a VMware host is accessible using pre-set usernames and passwords. This allows unauthorised access to virtual machines and their data. Systems running the web interface are usually affected, potentially impacting confidentiality, integrity, and availability of hosted services.

2. Technical Explanation

• Root cause: Use of known, unchanged default administrator credentials.
• Exploit mechanism: An attacker attempts login using the default username and password via the web interface. Successful authentication grants access to virtual machine files. For example, an attacker could use a simple HTTP request with default credentials in the authentication header.
• Scope: VMware ESX and ESXi hosts with the Web-Based Datastore Browser enabled. Affected versions are not specifically detailed in this report but should be reviewed against vendor advisories.

3. Detection and Assessment

Confirming vulnerability involves checking if default credentials still work. A quick check is to attempt login via the web interface. Thorough assessment requires a credentialed scan of the ESX / ESXi host.

• Quick checks: Access the Web-Based Datastore Browser in your browser and try logging in with the default username ‘root’ and password ‘VMware1!’.
• Scanning: Nessus vulnerability ID 16873 can detect this issue. Other scanners may have similar signatures.
• Logs and evidence: Check ESXi host logs for successful login events using the ‘root’ account from external IP addresses. Log locations vary by version, but typically reside in /var/log/vmkernel.log or via vCenter Server logs.

# This is an example only - check your specific environment
esxcli system credential interactive --username root

4. Solution / Remediation Steps

Fixing this issue requires changing the default passwords on all default accounts. Follow these steps carefully to avoid service disruption.

4.1 Preparation

• Ensure you have alternative access methods (e.g., SSH) in case web interface access is lost. A roll back plan involves restoring from the pre-change snapshot.
• Changes should be approved through standard IT change management procedures.

4.2 Implementation

1. Step 1: Access the ESXi host directly via the DCUI (Direct Console User Interface) or SSH.
2. Step 2: Run the command `esxcli system credential interactive`.
3. Step 3: Enter a new, strong password when prompted for the ‘root’ account.
4. Step 4: Repeat Step 2 and Step 3 for any other default accounts identified in your environment.

4.3 Config or Code Example

Before

# Default root password is VMware1! (example)
esxcli system credential interactive --username root
Password: VMware1!

After

# New, strong root password set.
esxcli system credential interactive --username root
Changing password for user 'root'...
New Password: 
Verify new password: 
Password changed successfully.

4.4 Security Practices Relevant to This Vulnerability

Practices that directly address this vulnerability include least privilege and safe defaults. Least privilege limits the impact if an account is compromised. Safe defaults ensure systems start with strong security settings.

• Practice 2: Enforce strong password policies, including minimum length and complexity requirements.

4.5 Automation (Optional)

# Example PowerShell script - use with caution! Requires appropriate permissions.
# This is an example only and needs adaptation for your environment.
# $esxiHost = "your_esxi_host"
# $newPassword = "YourStrongPassword!"
# ssh root@$esxiHost esxcli system credential interactive --username root << EOF
# $newPassword
# $newPassword
# EOF

5. Verification / Validation

Confirm the fix by attempting to log in with the old default credentials. A negative test should fail, and a smoke test confirms normal service operation.

• Post-fix check: Attempt login via the web interface using 'root' and 'VMware1!'. The login attempt should fail.
• Re-test: Run Nessus vulnerability ID 16873 again. It should no longer report the issue.
• Smoke test: Verify you can still access virtual machine consoles and manage VMs through vCenter Server or the web interface with your new credentials.
• Monitoring: Monitor ESXi host logs for failed login attempts using default usernames.

# Example command to check login status (may vary by version)
esxcli system credential list

6. Preventive Measures and Monitoring

Update security baselines to include a requirement for changing default passwords. Implement checks in your CI/CD pipeline to prevent deployments with default credentials. A regular patch cycle ensures timely updates.

• Baselines: Update your VMware ESXi hardening baseline or CIS benchmark to explicitly require password changes.
• Asset and patch process: Review and apply security patches regularly, ideally within 72 hours of release.

7. Risks, Side Effects, and Roll Back

• Risk or side effect 1: Incorrect password entry can lead to account lockout. Mitigation: Double-check password entries and ensure alternative access is available.
• Risk or side effect 2: Service interruption if changes are made during peak hours. Mitigation: Schedule changes during a maintenance window.
• Roll back:
  1. Power off the ESXi host.
  2. Restore from the pre-change snapshot.
  3. Verify the system is operational with the original default credentials (for testing only).

8. References and Resources

• Vendor advisory or bulletin: VMware Security Advisory VMSA-2019-0027
• NVD or CVE entry: CVE-2019-5544
• Product or platform documentation relevant to the fix: Updated on October 26, 2025