The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The flaw, tracked as CVE-2024-37079, poses a severe risk to organizations relying on vCenter for virtualization management.
Critical Heap Overflow Vulnerability
CVE-2024-37079 is a heap overflow in the DCE/RPC protocol of vCenter Server, which allows attackers with network access to execute arbitrary code remotely. The flaw carries a CVSS score of 9.8, reflecting its high severity. Exploitation involves sending specially crafted network packets that can compromise the vCenter Server, potentially leading to full control over the underlying ESXi hosts.
The vulnerability was patched by Broadcom in June 2024, alongside CVE-2024-37080, another heap overflow in the same protocol. Researchers Hao Zheng and Zibo Li of QiAnXin LegendSec were credited with discovering and responsibly reporting the issues.
Research Insights
At Black Hat Asia 2025, the researchers presented findings on a set of four related vulnerabilities affecting the DCE/RPC service: three heap overflows and one privilege escalation flaw. Notably, one of the heap overflow vulnerabilities could be chained with the privilege escalation flaw (CVE-2024-38813), granting attackers unauthorized remote root access and full ESXi control. The other two vulnerabilities, CVE-2024-38812 and CVE-2024-38813, were patched in September 2024.
Active Exploitation Confirmed
While the scale and perpetrators of CVE-2024-37079 attacks remain unclear, Broadcom has confirmed in-the-wild exploitation. CISA’s inclusion of the vulnerability in the KEV catalog signals the urgent need for affected organizations to prioritize updates.
Federal Civilian Executive Branch (FCEB) agencies are now required to apply the latest patches by February 13, 2026 to mitigate the threat. Organizations outside the federal sector are strongly advised to follow suit to prevent potential compromise.
Recommended Actions
- Immediately update VMware vCenter Servers to the latest patched versions.
- Monitor network traffic for unusual DCE/RPC activity.
- Review internal access controls and audit logs for signs of compromise.
- Ensure ESXi hosts and connected virtual machines are protected by the latest security updates.
The emergence of CVE-2024-37079 highlights the continuing importance of timely patch management and proactive threat monitoring, especially for critical virtualization infrastructure.
