Critical VMware vCenter Server Vulnerability Actively Exploited in the Wild

Critical VMware vCenter Server Vulnerability Actively Exploited in the Wild

A critical VMware vCenter Server vulnerability that was patched more than a year and a half ago is now being actively exploited by attackers in the wild. The flaw, tracked as CVE-2024-37079, represents a significant threat to enterprise virtualization infrastructure and has prompted urgent warnings from both Broadcom and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The Vulnerability Details

CVE-2024-37079 is an out-of-bounds write vulnerability in VMware vCenter Server's implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Calls) protocol. The vulnerability received a CVSS score of 9.8 out of 10, indicating critical severity. DCERPC allows software to invoke procedures and services on remote systems across a network, making it a fundamental component of distributed computing environments.

The vulnerability can be exploited by an attacker with network access to vCenter Server by sending specially crafted network packets. Successful exploitation could lead to remote code execution, giving attackers complete control over the virtualization management platform. This is particularly dangerous because vCenter Server is the central management point for VMware virtualized environments, controlling multiple ESXi hosts and virtual machines.

Active Exploitation Confirmed

Broadcom updated its security advisory on January 23, 2026, stating: "Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild." This confirmation came more than 19 months after the initial patch was released in June 2024. The company did not provide details about the scope of exploitation or respond to inquiries about specific attacker behavior.

CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) Catalog on the same day. Federal agencies are now required to patch the vulnerability by February 13, 2026. While CISA listed the bug's use in ransomware campaigns as "unknown," the addition to the KEV catalog indicates confirmed exploitation activity.

Why This Matters

Virtualization infrastructure, including vCenter Server, is a high-value target for both government-backed threat actors and financially motivated cybercriminals. Caitlin Condon, VP of security research at VulnCheck, explained that "virtualization infrastructure - including Broadcom's vCenter Server - is a favorite target for both government-backed hackers and financially motivated cybercriminals."

Condon provided historical context, noting that a prior vulnerability in vCenter Server's DCERPC protocol (CVE-2023-34048) was exploited by at least three known China-nexus threat actors: Fire Ant, Warp Panda, and UNC3886. This pattern demonstrates that state-sponsored groups actively target virtualization management platforms.

Attack Timeline and Patch Delay

The timeline reveals a concerning pattern of delayed patching despite available updates:

• June 2024: Broadcom releases patches for CVE-2024-37079
• January 2026: Active exploitation confirmed in the wild
• January 2026: CISA adds vulnerability to KEV catalog
• February 13, 2026: Deadline for federal agencies to patch

The 19-month gap between patch release and confirmed exploitation highlights the persistent challenge of patch management in enterprise environments. Many organizations may have missed the initial patch release or delayed deployment due to testing requirements or operational concerns.

Technical Analysis: DCERPC Protocol Risks

The DCERPC protocol, while essential for distributed computing, presents significant security challenges. It operates over multiple transport layers and supports various authentication mechanisms, creating a complex attack surface. The out-of-bounds write vulnerability in vCenter's implementation allows attackers to corrupt memory structures, potentially leading to arbitrary code execution.

For organizations running VMware environments, vCenter Server typically has elevated privileges and access to management networks. A compromised vCenter Server could provide attackers with:

1. Lateral movement: Access to connected ESXi hosts and virtual machines
2. Data exfiltration: Visibility into virtual machine configurations and data
3. Persistence: Ability to maintain long-term access to the virtualized environment
4. Ransomware deployment: Capability to encrypt or disrupt virtual infrastructure

Mitigation and Remediation

Organizations should immediately take the following actions:

1. Apply patches: Deploy the security updates released in June 2024 if not already applied
2. Network segmentation: Ensure vCenter Server is never exposed to the public internet
3. Access controls: Review and restrict network access to vCenter management interfaces
4. Monitoring: Implement enhanced logging and monitoring for DCERPC traffic
5. Incident response: Prepare procedures for responding to potential vCenter compromises

Condon emphasized that "vCenter Server should never, ever be exposed to the public internet." Most successful attacks likely occur after attackers have already established a foothold in the victim's environment through other means.

Broader Context

This incident reflects a broader pattern of attackers exploiting known vulnerabilities long after patches become available. State-sponsored groups, in particular, maintain extensive vulnerability databases and conduct opportunistic attacks when they identify unpatched systems.

The virtualization layer represents a critical control point in modern data centers. Compromising vCenter Server provides attackers with centralized control over potentially hundreds of virtual machines and the underlying infrastructure. This makes it an attractive target for both espionage and ransomware operations.

Recommendations for Security Teams

1. Immediate Actions:

   • Verify patch status across all vCenter Server instances
   • Review network access controls and firewall rules
   • Check for signs of compromise in vCenter logs

2. Strategic Improvements:

   • Implement automated patch management for virtualization infrastructure
   • Establish regular vulnerability scanning specifically for management platforms
   • Develop incident response playbooks for virtualization compromises

3. Architectural Considerations:

   • Isolate management networks from production and user networks
   • Implement multi-factor authentication for all administrative access
   • Consider network-based intrusion detection for management protocols

Conclusion

The active exploitation of CVE-2024-37079 serves as a stark reminder that patch management remains a critical security function. While the vulnerability was publicly disclosed and patched in June 2024, the 19-month gap before confirmed exploitation demonstrates that organizations continue to struggle with timely remediation.

For VMware environments, this incident underscores the importance of treating virtualization management platforms as high-value assets requiring special protection. The centralized nature of vCenter Server makes it both essential for operations and attractive to attackers.

Organizations should treat this as an urgent priority, applying patches immediately and reviewing their broader virtualization security posture. The involvement of CISA and the addition to the KEV catalog indicate that this is not merely a theoretical threat but an active attack campaign.

Additional Resources

• Broadcom Security Advisory for CVE-2024-37079
• CISA Known Exploited Vulnerabilities Catalog
• VMware Security Documentation
• CISA Emergency Directive ED 26-02 (if applicable)

This article will be updated as more information becomes available about the scope of exploitation and specific attacker techniques.