TLP: CLEAR - ADVISORY on CISA Flagged Actively Exploited VMware vCenter Flaw CVE-2024-37079 in Known Exploited Vulnerabilities (KEV) Catalogue

Advisory ID: NCC-CSIRT-2026-003

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical heap-overflow vulnerability in VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalogue following confirmed evidence of active exploitation in the wild. This vulnerability allows a remote attacker with network access to send specially crafted packets that trigger a remote code execution (RCE) condition on vulnerable vCenter systems.

VMware originally released a patch for this flaw in June 2024, but recent security advisory updates by Broadcom confirm that exploitation has been observed in operational environments in early 2026. This context elevates the urgency for organizations relying on VMware virtual infrastructure to remediate without delay.

Damage/Probability: Critical/High

Product(s): 

• Broadcom VMware vCenter Server
• Centralized management platform for VMware ESXi hosts
• Virtual machines

Version(s): 

VMware vCenter Server versions before patched releases (patched in June 2024), CVE-2024-37079 remains a risk where updates have not been fully applied.

Platform(s): 

Virtualization management infrastructures across enterprise, cloud, government, and telecommunication data centers.

Description: 

CVE-2024-37079 is a heap-overflow vulnerability in VMware vCenter Server’s DCE/RPC protocol implementation. When a specially crafted network packet is sent to a vulnerable vCenter instance, the flaw may allow execution of arbitrary code in the context of the vCenter Server process, essentially enabling an attacker to gain unauthenticated remote code execution without the need for valid credentials.

Broadcom’s updated advisory now confirms that CVE-2024-37079 is being exploited in real-world environments, prompting CISA to add it to the KEV catalogue and to require immediate action by relevant agencies and enterprises. Previously, the vulnerability was patched in June 2024, along with related heap-overflow issues affecting the same service.

There are no known effective workarounds that fully mitigate this RCE outside patching and network access restrictions; therefore, patch application and protective segmentation are paramount.

Threat Types: 

• Critical Remote Code Execution (RCE) via heap overflow in the DCERPC (Distributed Computing Environment / Remote Procedure Call) protocol implementation.
• Unauthorized virtual environment compromise, vCenter Server typically runs with elevated privileges and controls ESXi hosts, making this attack vector especially high-impact.
• Potential lateral movement, virtual machine manipulation, and denial-of-service following successful exploit.

Impacts: 

• Exploitation grants attackers high-privilege code execution on vCenter, enabling control over hosts, clusters, virtual machines, and permissions.
• With control over vCenter, adversaries can pivot within virtualized environments and deploy additional malicious payloads.
• vCenter Server is central to operations; compromise may lead to service outages, data loss, and administrative lockout.
• Attackers could access sensitive configuration and credential data stored within the virtual management plane.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Update all VMware vCenter Server instances to the patched builds specified by Broadcom, consult the latest VMware advisory (VMSA-2024-0012.1 or later) to confirm exact target versions.
• Restrict network access to vCenter management interfaces — only trusted management hosts should have connectivity.
• Limit exposure of critical vCenter ports and services to internal networks; isolate management plane from general production traffic.
• Enable deep logging and review access logs for anomalous DCERPC traffic or exploit indicators; correlate events with external threat intelligence.
• Prepare playbooks for virtualization layer compromise; maintain backups of vCenter configurations and ensure out-of-band recovery options.
• Treat VMware vCenter Server as a top-priority asset for patching in the next maintenance window.
• Validate that all instances, including test, staging, and disaster-recovery nodes, are updated.
• Enforce MFA for administrative access to vCenter and related infrastructure.
• Deploy network IDS/IPS signatures tuned to identify crafted DCERPC exploit attempts.
• Inform virtualization service providers and cloud tenants if vCenter infrastructure is shared or outsourced.

References:

• https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.htmlw

• https://cloudnews.tech/vmware-vcenter-in-the-spotlight-broadcom-confirms-in-the-wild-exploitation-of-a-critical-flaw-vmsa-2024-0012-1/

• https://www.thaicert.or.th/en/2026/01/26/cisa-adds-vmware-vcenter-vulnerability-cve-2024-37079-to-kev-catalog-after-active-exploitation/

• https://cybersecuritynews.com/vmware-vcenter-rce-vulnerability/

• https://ilja-schlak.de/en/cisa-adds-vmware-vcenter-flaw-cve-2024-37079-to-the-kev-catalog/

• https://nvd.nist.gov/vuln/detail/CVE-2024-37079