Threat actors have exploited a critical-severity VMware vCenter Server vulnerability disclosed in 2024, according to fresh warnings from CISA and Broadcom.
Tracked as CVE-2024-37079 (CVSS score of 9.8), the flaw is described as an out-of-bounds write issue in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol implementation of vCenter Server.
Incorrect bounds checking during the processing of network packets could result in an overflow of heap memory, leading to remote code execution.
The security defect can be exploited by remote attackers with access to vCenter Server via specially crafted network packets.
On Friday, the US cybersecurity agency CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog, warning federal agencies of its in-the-wild exploitation.
Patches for the weakness were released in June 2024. On Friday, VMware parent company Broadcom updated its initial advisory to add a note on the bug’s abuse.
“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild,” the note reads.
Neither CISA nor Broadcom has provided details on the observed attacks, and there do not appear to be any public reports describing in-the-wild exploitation.
Now that the CVE has been added to the KEV list, federal agencies have three weeks to identify and patch vulnerable vCenter Server deployments in their environments, as mandated by Binding Operational Directive (BOD) 22-01.
All organizations are advised to review CISA’s KEV catalog and apply available fixes and mitigations for the vulnerabilities it contains.
Related: Fortinet Confirms FortiCloud SSO Exploitation Against Patched Devices
Related: Organizations Warned of Exploited Zimbra Collaboration Vulnerability
Related: Infotainment, EV Charger Exploits Earn Hackers $1M at Pwn2Own Automotive 2026
