The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw affecting Broadcom VMware vCenter Server patched in June 2024 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of real-world exploitation.
The vulnerability in question is CVE-2024-37079 (CVSS score: 9.8). This refers to a heap overflow in the implementation of the DCE/RPC protocol that could allow a malicious attacker with network access to vCenter Server to execute remote code by sending specially crafted network packets.
This issue was resolved by Broadcom in June 2024 along with CVE-2024-37080, another heap overflow in the DCE/RPC protocol implementation that could lead to remote code execution. Researchers Hao Zheng and Zibo Li from Chinese cybersecurity company QiAnXin LegendSec are credited with discovering and reporting the issue.
In a presentation at the Black Hat Asia security conference in April 2025, researchers said the two flaws are part of a set of four vulnerabilities (three heap overflows and one privilege escalation) discovered in DCE/RPC services. Two other flaws, CVE-2024-38812 and CVE-2024-38813, were patched by Broadcom in September 2024.
In particular, it was discovered that one of the heap overflow vulnerabilities could chain with an elevation of privilege vulnerability (CVE-2024-38813) to allow unauthorized remote root access and ultimately control over ESXi.
It is currently unknown how CVE-2024-37079 is being exploited, whether it is the work of known attackers or groups, and the scale of such attacks. However, Broadcom has since updated its advisory and officially confirmed that this vulnerability has indeed been exploited.
“Broadcom has received information suggesting that exploitation of CVE-2024-37079 has occurred in the wild,” the company said in an update.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies must update to the latest version by February 13, 2026 for optimal protection.
Source link
