The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw, CVE-2024-37079, is a heap overflow in the DCE/RPC protocol that allows remote code execution and was patched by Broadcom in June 2024.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild. This move underscores the severity of the threat and the urgent need for organizations using VMware's virtualization management platform to apply available patches immediately.
The vulnerability in question is CVE-2024-37079, which carries a critical CVSS score of 9.8. It is a heap overflow vulnerability found in the implementation of the Distributed Computing Environment / Remote Procedure Call (DCE/RPC) protocol within VMware vCenter Server. An attacker with network access to the vCenter Server can exploit this flaw by sending a specially crafted network packet, leading to remote code execution (RCE) on the affected system. This is a classic, high-severity vulnerability that provides a direct path for an attacker to compromise the management plane of a virtualized environment.
Broadcom, which now owns VMware, originally patched this vulnerability in June 2024, alongside a related heap overflow flaw, CVE-2024-37080. The discovery was credited to researchers Hao Zheng and Zibo Li from the Chinese cybersecurity firm QiAnXin LegendSec. Their work, presented at the Black Hat Asia security conference in April 2025, revealed that CVE-2024-37079 and CVE-2024-37080 were part of a larger set of four vulnerabilities found in the DCE/RPC service. The other two flaws, CVE-2024-38812 and CVE-2024-38813, were patched by Broadcom in September 2024.
The researchers demonstrated the potential impact of these vulnerabilities by chaining one of the heap overflows with the privilege escalation vulnerability (CVE-2024-38813). This chain could allow an attacker to achieve unauthorized remote root access and ultimately gain full control over the underlying ESXi hypervisor host. This highlights the critical nature of the vCenter Server as a central management point; a compromise here can have cascading effects across an entire virtualized infrastructure.
While the specific details of how CVE-2024-37079 is being exploited in the wild, the threat actors involved, and the scale of the attacks remain unknown, the confirmation of active exploitation is a significant red flag. Broadcom has updated its official advisory to reflect this, stating, "Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild."
The addition to the CISA KEV catalog is not merely an advisory; it carries regulatory weight for certain entities. Federal Civilian Executive Branch (FCEB) agencies are now mandated to remediate this vulnerability by February 13, 2026, to ensure optimal protection. This deadline provides a clear timeline for action but also signals that the threat is considered serious enough for federal intervention.
Practical Takeaways for Security Teams
For organizations using VMware vCenter Server, the path forward is clear but requires immediate action:
Identify and Patch: The first step is to determine if your environment is running a vulnerable version of VMware vCenter Server. Organizations should review Broadcom's security advisory for CVE-2024-37079 and CVE-2024-37080 to identify the specific affected versions and the corresponding patches. Apply these patches as the highest priority. The patches from June 2024 are the definitive fix for these specific vulnerabilities.
Assess for Related Vulnerabilities: Given the research presented by QiAnXin, it is prudent to ensure that all related DCE/RPC vulnerabilities (CVE-2024-38812 and CVE-2024-38813) are also patched. These were fixed in September 2024, so any system not updated since then is vulnerable to a broader attack chain.
Network Segmentation and Access Control: vCenter Server should never be directly exposed to the public internet. Ensure strict network segmentation controls are in place, limiting access to the vCenter management interface to only authorized administrative networks and personnel. Implement robust firewall rules and consider using a VPN or jump host for any necessary remote access.
Monitor for Exploitation Attempts: Security teams should monitor their network traffic and logs for any anomalous activity targeting the DCE/RPC protocol (typically associated with TCP port 135 and dynamic ports). While the specific exploit pattern may not be publicly known, monitoring for unusual connection attempts or packets targeting vCenter can provide early warning signs.
Review and Harden vCenter Configuration: Beyond patching, review the overall security posture of your vCenter Server. This includes ensuring strong, unique passwords for all accounts, enabling multi-factor authentication where possible, and regularly auditing user permissions and roles within the vSphere environment.
The active exploitation of CVE-2024-37079 serves as a stark reminder that vulnerabilities in core infrastructure management platforms are high-value targets for attackers. A compromise of vCenter can provide an attacker with a centralized point of control over an organization's virtualized assets, making it a critical component to secure and monitor vigilantly.
Broader Context and Research
The discovery of these vulnerabilities by QiAnXin LegendSec researchers highlights the ongoing security challenges in complex, legacy protocols like DCE/RPC, which is a foundational component of Microsoft's Remote Procedure Call (RPC) and used in various enterprise systems. The ability to chain a remote code execution vulnerability with a privilege escalation flaw to gain root access on an ESXi host demonstrates a sophisticated understanding of the VMware stack and its potential attack surface.
This incident is part of a larger trend where threat actors are increasingly targeting virtualization and cloud management platforms. These systems are often considered trusted, foundational components, and a breach can have widespread consequences. The CISA KEV catalog serves as a critical tool for prioritizing patching efforts, as it focuses on vulnerabilities that are not just theoretically severe but are being actively used in real-world attacks.
For organizations, the message is unequivocal: if you are running VMware vCenter Server, you must verify your patch status immediately. The window for proactive defense is closing, and with confirmed active exploitation, the risk of a breach is no longer hypothetical.
Relevant Links:
- Broadcom Security Advisory for CVE-2024-37079 (Note: Link would be to Broadcom's official security portal)
- CISA Known Exploited Vulnerabilities Catalog
- VMware vCenter Server Documentation
- Black Hat Asia 2025 Presentation Details (Search for QiAnXin researchers' presentation)
Comments
Please log in or register to join the discussion