The critical vulnerability recently added to the Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEVs) affects the Broadcom VMware vCenter Server and is being actively exploited by malicious hackers to breach corporate networks, the agency confirmed.
For a skilled adversary, the attack vector appears alarmingly simple. According to the CVE filing, a specially crafted network packet can be sent by an attacker with network access to vCenter Server, thus triggering this vulnerability.
The vulnerability is CVE-2024-37079, which has a critical CVSS score of 9.8, signaling the highest threat level for organizations using unpatched versions of the popular virtualization management platform.
The flaw is hidden in the implementation of the DCERPC protocol used by vCenter Server. It is described as a heap overflow vulnerability.
The issue was originally fixed by Broadcom in June 2024, along with a similar heap overflow vulnerability, identified as CVE-2024-37080. Both issues were attributed to security researchers Hao Zheng and Zibo Li of the Chinese cybersecurity firm QiAnXin LegendSec.
If the attack is successful, this single packet can trigger remote code execution (RCE), effectively handing the server keys to the attacker without the need for a password or prior authentication.
While the details of the attacks remain unclear, the realization that they are being actively exploited is changing defense strategies. CISA’s decision to include this vulnerability in the KEV catalog requires urgent action for federal networks.
However, despite patches being available for over a year, Broadcom has now updated its advisory to officially confirm the ongoing abuse of the vulnerability.
The agency stated that “substantial risks exist to the federal agency” and therefore directed all federal civil executive branch (FCEB) agencies to address the vulnerability by February 13, 2026.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
