CISA Alert: Critical VMware vCenter RCE (CVSS 9.8) Now Exploited in the Wild
Do Son 
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that hackers are actively weaponizing the flaw to breach enterprise networks.
The vulnerability, tracked as CVE-2024-37079, carries a critical CVSS score of 9.8, signaling the highest level of danger for organizations running unpatched versions of the popular virtualization management platform.
The flaw lies deep within the implementation of the DCERPC protocol used by vCenter Server. It is described as an “Out-of-bounds Write” or heap-overflow vulnerability.
The attack vector is terrifyingly simple for a skilled adversary. “A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet,” the CVE record explains.
If successful, this single packet can lead to Remote Code Execution (RCE), effectively handing the attacker the keys to the server without needing a password or prior authentication.
The issue was originally resolved by Broadcom back in June 2024, alongside a similar heap overflow vulnerability tracked as CVE-2024-37080. Both issues were credited to security researchers Hao Zheng and Zibo Li from the Chinese cybersecurity firm QiAnXin LegendSec.
However, despite patches being available for over a year, Broadcom has now updated its advisory to officially confirm in-the-wild abuse of the vulnerability.
While the specifics of the attacks remain murkyβit is currently unknown which threat actors are behind the campaigns or the scale of the operationsβthe confirmation of active exploitation changes the calculus for defenders.
CISA’s inclusion of this flaw in the KEV catalog mandates immediate action for federal networks. Citing the “significant risks to the federal enterprise,” the agency has ordered all Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by February 13, 2026.
Related Posts:
- Critical VMware vCenter Server Vulnerabilities Demand Immediate Action
- Broadcom Fixes RCE, DoS, XSS in VMware ESXi, vCenter, Workstation
- Critical VMware vCenter Server Flaws Under Active Attack: CISA Issues Urgent Warning
- Researcher Details CVE-2024-38812 (CVSS 9.8): Critical RCE Flaw in VMware vCenter
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
