# BlackBasta's Exploited Vulnerabilities
> [!NOTE]
> This is the list of vulnerabilities that have been observed during intrusions that lead to BlackBasta ransomware deployment or data exfiltration and leaks published to BlackBasta's Tor Site

### `ConnectWise`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| ScreenConnect | CVE-2024-1709 & CVE-2024-1709 | BlackBasta | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) |

### `VMware`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| ESXi | CVE-2024-37085 ("ESX Admins") | BlackBasta | [microsoft.com](https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/) |

### `Windows`
| Product | CVE(s) | Ransomware Group(s) | Source(s) |
|---|---|---|---|
| Windows Error Reporting Service | CVE-2024-26169 | BlackBasta | [www.security.com](https://www.security.com/threat-intelligence/black-basta-ransomware-zero-day) |
| MSDT | CVE-2022-30190 ("Follina") | BlackBasta | [sentinelone.com](https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/) / [trendmicro.com](https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html) |
| Active Directory | CVE-2021-42278 &  CVE-2021-42287 ("NoPac") | BlackBasta | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) |
| Print Spooler | CVE-2021-1675 & CVE-2021-34527 ("PrintNightmare") | BlackBasta | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) |
| NetLogon | CVE-2020-1472 ("ZeroLogon") | BlackBasta | [cisa.gov](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) |

---

#### Sources
| Date Published | Report |
|---|---|
| 29 July 2024 | https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ |
| 10 May 2024 | https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a |