An ESXi host that is not connected to or managed by a vCenter server is using self signed certificates on ports 9080 and 5989 which causes the host to appear on environmental vulnerability scans.

ESXi 8.0.3+

Self Signed Certificates are used by services on ports 9080 and 5989 which does not fit environment requirements to use only custom CA signed certificates.

Ports 9080 and 5989 are used to communicate to vCenter. Since vCenter communication is not utilized in this specific instance the ports can be closed to external traffic via ESXi host's firewall.

1. Access ESXi host web interface.

2. Navigate to networking -> Firewall Rules

3. Change allowed IP addresses for services at 9080 and CIM at 5989 to 127.0.0.1.

4. Confirm the port is closed via vulnerability scan.

Warning: Closing ports in an enviroment using vCenter server will cause interuption in communication between vCenter and ESXi hosts. This solution is only to be used when communication to a vCenter server is not required. For information securing ESXi hosts connected to vCenter server please follow VMware vSphere Security Configuration Guide 8. See also VCF Hardening Guides.