Critical VMware vCenter Server Vulnerability Exploited in Active Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability affecting Broadcom’s VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion confirms that the vulnerability, identified as CVE-2024-37079, is being actively exploited in the wild, posing a significant threat to organizations relying on vCenter for virtualization management.
Understanding CVE-2024-37079
CVE-2024-37079 is an out-of-bounds write vulnerability located within the implementation of the Distributed Computing Environment / Remote Procedure Calls (DCERPC) protocol in VMware vCenter Server. This flaw arises from improper memory handling, allowing an unauthenticated attacker with network access to send specially crafted packets to the vCenter Server. Successful exploitation can lead to remote code execution, potentially granting the attacker full control over the affected system.
The vulnerability is associated with CWE-787 (Out-of-bounds Write) and is particularly dangerous due to its network-based attack vector, which does not require user interaction. Given that vCenter Server serves as the centralized management utility for VMware vSphere environments, a compromise could enable attackers to move laterally across the entire virtualized infrastructure.
CISA’s Response and Remediation Guidelines
On January 23, 2026, CISA added CVE-2024-37079 to its KEV catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies remediate this vulnerability by February 13, 2026. CISA advises all organizations, not just federal entities, to prioritize patching this flaw immediately. The recommended course of action is to apply the vendor-provided mitigations or discontinue the use of the product if mitigations are unavailable.
Broadcom has released updates for vCenter Server to address this issue, and administrators are urged to upgrade to the latest secure versions.
Steps to Secure Virtualization Infrastructure
To protect against this critical vulnerability, organizations should implement the following measures:
1. Patch Immediately: Apply the relevant patches provided in Broadcom’s security advisory to mitigate the vulnerability.
2. Network Segmentation: Ensure that vCenter Server interfaces are not exposed to the public internet. Restrict access to the vCenter management interface to trusted administrative networks only.
3. Monitor Traffic: Implement network monitoring to detect anomalous DCERPC traffic directed at vCenter servers, which could indicate exploitation attempts.
4. Review Logs: Audit access logs for unauthorized attempts to connect to the management interface, as these could be signs of exploitation.
With the remediation deadline set for mid-February, organizations have a limited window to address this critical exposure before it becomes a standard target for automated exploitation tools.
