Broadcom patches critical VMware vCenter Server remote code execution flaw
Take action: If you are running VMware vCenter Server, make sure the vSphere management components are accessilble only from a trusted network and isolated from public access. Then plan to patch quickly.
Learn More
Broadcom has patched two flaws, including one critical remote code execution (RCE) vulnerability in VMware vCenter Server.
- CVE-2024-38812 (CVSS score 9.8) is caused by a heap overflow in the DCE/RPC protocol implementation. It allows unauthenticated attackers with network access to execute arbitrary code by sending a specially crafted network packet. The flaw impacts VMware vCenter Server, VMware vSphere, and VMware Cloud Foundation. The vulnerability was reported by TZL security researchers during China's 2024 Matrix Cup hacking contest.
- CVE-2024-38813 (CVSS score 7.5): A privilege escalation vulnerability allowing attackers with network access to gain root privileges on affected servers via a crafted network packet.
- VMware vCenter Server (versions 8.0 and 7.0)
- VMware Cloud Foundation (versions 5.x and 4.x)
Security updates have been released for affected products:
- vCenter Server 8.0: Update to version 8.0 U3b
- vCenter Server 7.0: Update to version 7.0 U3s
- VMware Cloud Foundation 5.x: Apply the async patch to 8.0 U3b
- VMware Cloud Foundation 4.x: Apply the async patch to 7.0 U3s
Administrators who cannot immediately apply updates should restrict network access to vSphere management components, as no official workaround is available.
