CISA Flags Critical VMware vCenter Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability affecting Broadcom’s VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) catalog, following evidence of active exploitation.
Identified as CVE-2024-37079, this vulnerability carries a CVSS score of 9.8, indicating its severity. It involves a heap overflow in the DCE/RPC protocol implementation, which could enable an attacker with network access to the vCenter Server to execute remote code by sending a specially crafted network packet.
Broadcom addressed this issue in June 2024, alongside another related vulnerability, CVE-2024-37080, which also pertains to a heap overflow in the DCE/RPC protocol. Both vulnerabilities were discovered and reported by researchers Hao Zheng and Zibo Li from the Chinese cybersecurity firm QiAnXin LegendSec.
In April 2025, during the Black Hat Asia security conference, these researchers revealed that CVE-2024-37079 and CVE-2024-37080 are part of a quartet of vulnerabilities found in the DCE/RPC service, including three heap overflows and one privilege escalation flaw. The remaining two vulnerabilities, CVE-2024-38812 and CVE-2024-38813, were patched by Broadcom in September 2024.
Notably, the researchers demonstrated that one of the heap overflow vulnerabilities could be combined with the privilege escalation flaw (CVE-2024-38813) to achieve unauthorized remote root access, potentially allowing full control over ESXi environments.
While the specifics of how CVE-2024-37079 is being exploited, the identities of the threat actors involved, and the scale of the attacks remain unclear, Broadcom has updated its advisory to confirm in-the-wild exploitation of this vulnerability. The company stated, Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.
In response to the active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies update to the latest version of VMware vCenter Server by February 13, 2026, to ensure optimal protection against potential threats.
