Broadcom and CISA Warn of Active Exploitation in VMware vCenter Server
Take action: If you are using VMware vCenter Server or Cloud Foundation this is urgent. If you haven't patched your systems since 2024, first make sure they are isolated from the internet. Then start patching, because even if the VMware systems are isolated, a hacker may find a way in through another vulnerable system or through an endpoint compromise.
Learn More
Broadcom and CISA are warning that attackers are actively exploiting exploiting a critical vulnerability in VMware vCenter Server.
The vulnerability, tracked as CVE-2024-37079 (CVSS score 9.8) - A heap-overflow vulnerability in the DCERPC protocol implementation allowing remote code execution.
Although Broadcom released patches in June 2024, recent evidence shows active use of the flaw in the wild.
The primary threat involves heap-overflow flaws in the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. Attackers with network access can send malicious packets to trigger these bugs. This allows them to run code remotely on the server without any user interaction. Security researchers note that virtualization tools are top targets for state-sponsored groups and ransomware gangs because vCenter manages entire virtual environments.
Experts advise that vCenter should never face the public internet. Attackers likely already have a foothold in the victim network before using these flaws to move laterally.
Broadcom urges users to update to fixed versions immediately. Administrators should upgrade to vCenter Server 8.0 U2d, 8.0 U1e, or 7.0 U3r. Cloud Foundation users must apply the specific updates listed in the Broadcom Knowledge Base.
