The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37085, a critical SQL injection vulnerability in VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Organizations using affected VMware products must apply patches immediately to mitigate this high-severity threat.
CISA has officially added CVE-2024-37085 to its Known Exploited Vulnerabilities catalog. This action follows confirmed reports of active exploitation targeting organizations worldwide. The vulnerability affects VMware vCenter Server, a critical component for managing virtualized infrastructure. Attackers can exploit this flaw to execute arbitrary SQL commands on the underlying database.
The vulnerability resides in the vCenter Server's database interface. It allows unauthenticated attackers to send specially crafted requests that bypass input validation. Successful exploitation grants attackers database-level access. This access can be used to exfiltrate sensitive data, disrupt operations, or establish persistent access to the virtual environment. The Common Vulnerability Scoring System (CVSS) rate this vulnerability as 9.8 out of 10, classifying it as critical.
Affected versions include VMware vCenter Server 8.0 prior to 8.0 U2d, and 7.0 prior to 7.0 U3r. VMware Cloud Foundation versions 5.x and 4.x are also impacted. The vulnerability was discovered and reported by security researchers at Rapid7. VMware released security patches on May 28, 2024. CISA's addition to the KEV catalog on June 12, 2024, mandates that all Federal Civilian Executive Branch (FCEB) agencies apply the patches by July 3, 2024, according to Binding Operational Directive 22-01.
This vulnerability is particularly dangerous because vCenter Server often resides in the core of an organization's data center. It manages critical virtual machines and ESXi hosts. A compromise can lead to lateral movement across the entire network. Attackers can deploy ransomware, steal credentials, or disrupt business operations. The exploitation requires no user interaction, making it a prime target for automated attacks.
Mitigation Steps
Immediate Patching: Apply the official VMware patches immediately. Download them from the VMware Security Advisory VMSA-2024-0012. For vCenter Server 8.0, upgrade to version 8.0 U2d or later. For vCenter Server 7.0, upgrade to version 7.0 U3r or later.
Network Segmentation: If immediate patching is not feasible, isolate vCenter Server from the public internet and restrict access to trusted management networks only. Implement strict firewall rules to limit inbound traffic to the vCenter Server port (typically 443).
Monitoring and Detection: Review logs for unusual database queries or access patterns. Deploy intrusion detection systems (IDS) to monitor for exploit attempts. CISA recommends checking for indicators of compromise (IOCs) provided in the advisory.
Backup and Recovery: Ensure recent, offline backups of vCenter Server configurations and databases. Test recovery procedures to guarantee operational continuity in case of an attack.
The addition of CVE-2024-37085 to the KEV catalog underscores the urgency of patching known vulnerabilities. Organizations should prioritize this update in their vulnerability management programs. For comprehensive guidance, refer to CISA's Known Exploited Vulnerabilities Catalog and VMware's security advisory.
Comments
Please log in or register to join the discussion