The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild and mandating federal agencies to patch within three weeks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially confirmed that threat actors are actively exploiting a critical vulnerability in VMware vCenter Server, a widely used virtualization management platform. The agency has added CVE-2024-37079 to its catalog of Known Exploited Vulnerabilities (KEV) and ordered all Federal Civilian Executive Branch (FCEB) agencies to secure their systems by February 13, 2026, under Binding Operational Directive (BOD) 22-01.
The Vulnerability: A Heap Overflow in a Core Protocol
CVE-2024-37079 is a heap overflow vulnerability residing in the Distributed Computing Environment Remote Procedure Call (DCERPC) protocol implementation within VMware vCenter Server. vCenter Server is the central management component of the VMware vSphere platform, which is used to manage ESXi hosts and virtual machines across data centers and hybrid cloud environments.
The flaw allows an attacker with network access to the vCenter Server to send a specially crafted network packet. This packet triggers a heap overflow, which can lead to remote code execution (RCE) on the target system. The attack complexity is low—it does not require any privileges on the targeted system or user interaction, making it a prime candidate for automated exploitation by botnets and ransomware groups.
Patching Status and Lack of Mitigations
Broadcom, which acquired VMware, originally patched this vulnerability in June 2024. However, the recent confirmation of active exploitation has elevated the urgency. Broadcom's advisory was updated to state, "Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild."
Crucially, there are no workarounds or mitigations available for this specific flaw. The only effective defense is to apply the security patches released by Broadcom. Customers are advised to update their vCenter Server and VMware Cloud Foundation installations to the latest patched versions immediately. Organizations can find the specific patch details and version requirements in the Broadcom Security Advisory VMSA-2024-0012.
Federal Mandate and Broader Context
CISA's directive applies to all FCEB agencies, which include major departments such as State, Justice, Energy, and Homeland Security. The agency warned that this type of vulnerability "is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise."
This incident is part of a concerning pattern of VMware vulnerabilities being targeted by attackers. In October 2025, CISA ordered U.S. government agencies to patch a high-severity vulnerability (CVE-2025-41244) in VMware Aria Operations and VMware Tools, which Chinese state-sponsored hackers had been exploiting in zero-day attacks since October 2024.
Furthermore, 2025 saw Broadcom release patches for two high-severity VMware NSX flaws (CVE-2025-41251 and CVE-2025-41252) reported by the U.S. National Security Agency (NSA), and fix three other actively exploited VMware zero-days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by Microsoft. This history underscores the critical importance of maintaining a rigorous patch management schedule for virtualization infrastructure.
Practical Takeaways for Security Teams
Immediate Patching: For any organization using VMware vCenter Server, the priority is to apply the relevant patches from Broadcom. The absence of workarounds makes patching the only viable defense.
Inventory and Assessment: Security teams should immediately inventory their vCenter Server deployments to identify vulnerable versions. This includes checking both on-premises and cloud-based instances.
Network Segmentation: As a general best practice, ensure that management interfaces for vCenter Server are not exposed to the public internet. They should be placed on a dedicated, restricted management network.
Monitor for Exploitation: Organizations should review logs for any suspicious activity targeting their vCenter Server instances, particularly unusual network traffic on the DCERPC protocol ports.
Stay Informed: Given the active exploitation, it is advisable to monitor security advisories from both CISA and Broadcom for any updates or additional guidance.
The active exploitation of CVE-2024-37079 serves as a stark reminder that vulnerabilities in core infrastructure management tools are high-value targets for adversaries. A proactive and swift patching response is the most effective measure to mitigate this significant risk.
Comments
Please log in or register to join the discussion