U.S. CISA adds a flaw in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw impacting Broadcom VMware vCenter to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Broadcom VMware vCenter Server vulnerability, tracked as CVE-2024-37079 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.

vCenter Server is a centralized management platform developed by VMware for managing virtualized environments.

In June 2024, VMware addressed vCenter Server vulnerabilities, tracked as CVE-2024-37079 and CVE-2024-37080, that remote attackers can exploit to achieve remote code execution or privilege escalation.

The flaws are heap-overflow issues in the implementation of the DCERPC protocol. An attacker with network access can exploit them via crafted packets, potentially achieving remote code execution.

“The vCenter Server contains multiple heap-overflow vulnerabilities in the implementation of the DCERPC protocol. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.” reads the  advisory. “A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution.”

Customers are recommended to install the released security patches, no workarounds are available.

The vulnerabilities were reported by Hao Zheng (@zhz) and Zibo Li (@zbleet) from TianGong Team of Legendsec at Qi’anxin Group.

In an advisory update, Broadcom confirmed it is aware of attacks targeting CVE-2024-37079, however, exploitation details remain undisclosed.

“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.” continues the advisory.

Researchers revealed at Black Hat Asia 2025 that CVE-2024-37079 is part of four DCE/RPC flaws, three heap overflows and one privilege escalation. Two related bugs were patched in September 2024. One heap overflow can be chained with CVE-2024-38813 to gain remote root access on ESXi.

“Notably, we were able to exploit one of the heap overflow vulnerabilities in combination with the privilege escalation vulnerability to achieve unauthorized remote root access, successfully completing the Matrix Cup 2024 vulnerability challenge.” wrote the researchers. “In this presentation, we will begin by providing a detailed overview of the DCERPC protocol and the four vulnerabilities we uncovered in its implementation within vCenter Server, which have been assigned CVE numbers CVE-2024-37079, CVE-2024-37080, CVE-2024-38812, and CVE-2024-38813. “

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by February 13, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)