The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited in real-world attacks.
The update stresses CVE-2024-37079, a severe remote code execution (RCE) issue that was originally patched in 2024 but continues to pose a direct risk to organizations running unpatched systems.
Heap Overflow Flaw Poses Severe RCE Risk
CVE-2024-37079 carries a maximum CVSS v3.1 score of 9.8, placing it firmly in the “critical” severity category. The vulnerability stems from a heap overflow weakness in the Distributed Computing Environment/Remote Procedure Call (DCE/RPC) protocol implementation within VMware vCenter Server.
VMware vCenter Server is widely used by administrators to centrally manage Broadcom’s VMware ESXi hypervisors and virtual machines, making it a high-value target for attackers.
DCE/RPC, or Distributed Computing Environment/Remote Procedure Calls, is used by VMware vCenter Server for internal inter-process communication. This includes sensitive services such as certificate management, directory services, and authentication.
According to the CVE description, “vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet, potentially leading to remote code execution.”
By exploiting CVE-2024-37079, threat actors can gain a foothold on the vCenter management plane and then move laterally to underlying hypervisors.
Impact of CVE-2024-37079 Across VMware vCenter Server and Cloud Foundation
The vulnerability record for CVE-2024-37079 was published on June 18, 2024, by VMware and Broadcom. It specifies that the flaw is remotely exploitable over the network with no privileges or user interaction required. Affected products include VMware vCenter Server versions 8.0 before 8.0 U2d and 8.0 U1e, as well as version 7.0 before 7.0 U3r. VMware Cloud Foundation deployments are also impacted, specifically versions 5.x and 4.x that include vulnerable vCenter Server components. Later fixed versions are available, but no viable in-product workarounds were identified.
CVE-2024-37079 is addressed as part of VMware Security Advisory VMSA-2024-0012, initially released on June 17, 2024. The advisory also covers CVE-2024-37080, another heap overflow issue in the DCE/RPC implementation, and CVE-2024-37081, a local privilege escalation vulnerability caused by sudo misconfigurations. While CVE-2024-37081 carries a lower maximum CVSS score of 7.8 and requires local authenticated access, CVE-2024-37079 and CVE-2024-37080 both reach the critical 9.8 threshold.
Urgent Need for Patching as Exploitation Occurs in the Wild
On Jan. 23, 2026, VMware updated the advisory to version VMSA-2024-0012.1, adding a key note: “Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.” This update aligns with CISA’s decision to add the vulnerability to the KEV catalog, signaling that attackers are actively abusing the flaw rather than merely researching it.
VMware acknowledged the researchers who responsibly disclosed the issues. CVE-2024-37079 and CVE-2024-37080 were reported by Hao Zheng (@zhz) and Zibo Li (@zbleet) from the TianGong Team of Legendsec at Qi’anxin Group. CVE-2024-37081 was reported by Matei “Mal” Badanoiu of Deloitte Romania.
