The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical VMware vCenter Server vulnerability, tracked as CVE-2024-37079, to its Known Exploited Vulnerabilities (KEV) Catalog. This move confirms that the flaw is not just theoretical but is being actively exploited in real-world attacks.
The vulnerability affects Broadcom VMware vCenter Server, a core component used by organizations worldwide to manage virtualized infrastructure. With a CVSS score of 9.8, CVE-2024-37079 is considered extremely severe and poses a major risk to enterprises that rely on VMware environments.
CVE-2024-37079 is a heap overflow vulnerability found in the implementation of the DCE/RPC (Distributed Computing Environment / Remote Procedure Call) protocol within VMware vCenter Server.
This flaw allows an attacker with network access to the vCenter Server to send a specially crafted network packet, potentially leading to remote code execution (RCE). In simple terms, a successful exploit could allow attackers to run malicious commands on the affected server without proper authorization.
Because vCenter Server often has high-level privileges and controls multiple ESXi hosts, exploiting this vulnerability can give attackers deep access into virtualized environments.
Broadcom, which now owns VMware, patched CVE-2024-37079 in June 2024. At the same time, the company also addressed a related vulnerability, CVE-2024-37080, which is another heap overflow issue in the DCE/RPC protocol that could also lead to remote code execution.
The vulnerabilities were discovered and responsibly disclosed by Hao Zheng and Zibo Li, security researchers from Chinese cybersecurity firm QiAnXin LegendSec.
At the time of release, Broadcom did not confirm active exploitation. However, that status has now changed.
In a recent update to its security advisory, Broadcom officially acknowledged that CVE-2024-37079 has been exploited in the wild.
“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild,” the company stated.
Based on this confirmation, CISA added the vulnerability to its KEV catalog, which is reserved for flaws that pose an immediate and serious threat to government and private-sector systems.
During Black Hat Asia 2025, the researchers shared deeper technical details about the vulnerabilities. They revealed that CVE-2024-37079 is part of a larger set of four vulnerabilities affecting the DCE/RPC service in VMware products.
These include:
Three heap overflow vulnerabilities
One privilege escalation vulnerability
The additional flaws are:
CVE-2024-38812
CVE-2024-38813
Broadcom patched these two vulnerabilities later, in September 2024.
Most concerning is the finding that one heap overflow vulnerability can be chained with CVE-2024-38813, a privilege escalation flaw. When combined, attackers could achieve unauthorized remote root access, ultimately allowing them to take control of ESXi hosts.
This attack chain significantly increases the risk, turning a single vulnerability into a full infrastructure compromise.
VMware vCenter Server often sits at the heart of enterprise IT environments. It manages:
Virtual machines
ESXi hosts
Storage and networking configurations
If attackers gain access to vCenter, they may be able to:
Deploy malware across multiple systems
Steal sensitive enterprise data
Shut down critical workloads
Create persistent backdoors
Launch ransomware attacks
Even though details about the current attacks remain limited, the confirmation of active exploitation makes this vulnerability a high priority for all organizations using VMware products.
At this time, it is not known
Which threat actor or group is exploiting the flaw
Whether the attacks are targeted or widespread
How long the vulnerability has been exploited
However, history shows that once a vulnerability enters the KEV catalog, cybercriminals and nation-state attackers quickly follow, increasing the likelihood of mass exploitation.
Due to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are now required to remediate the vulnerability.
CISA has set a strict deadline:
February 13, 2026
By this date, affected agencies must update to the latest patched version of VMware vCenter Server to remain compliant and secure.
Although this mandate applies to U.S. federal agencies, private organizations are strongly encouraged to take the same action immediately.
To reduce risk, organizations should:
Immediately patch vCenter Server to the latest version provided by Broadcom
Review network exposure of vCenter systems
Restrict access to management interfaces
Monitor logs for unusual or suspicious activity
Apply defense-in-depth controls, including network segmentation
Delaying patches could leave systems exposed to remote attacks with devastating impact.
The addition of CVE-2024-37079 to CISA’s KEV catalog highlights the ongoing risks facing virtualized environments. As attackers increasingly target infrastructure-level software, vulnerabilities in platforms like VMware vCenter become highly valuable attack vectors.
Organizations that depend on VMware must treat this issue as urgent, not optional. Applying patches promptly and strengthening monitoring can make the difference between staying secure and suffering a major breach.
Interesting Article : Critical Cisco Unified CM Zero-Day CVE-2026-20045 Under Active Attack
Pingback: CVE-2025-56005: Python PLY Bug Allows Remote Code Execution