CISA Warns Hackers Are Actively Exploiting Critical VMware vCenter Server Flaw

Federal agencies ordered to patch vCenter Server systems within weeks as real-world exploitation is confirmed.

The Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical vulnerability in VMware vCenter Server as actively exploited in the wild. The agency has ordered U.S. federal civilian agencies to secure affected systems within three weeks.

The flaw, tracked as CVE-2024-37079, enables remote code execution and poses a serious risk to virtualized environments that rely on vCenter Server for infrastructure management.

What Is the Vulnerability

CVE-2024-37079 is a heap overflow vulnerability in the DCERPC protocol implementation of VMware vCenter Server. Attackers with network access can exploit the issue by sending a specially crafted packet.

Key characteristics:

• Remote code execution
• No authentication required
• No user interaction needed
• Low attack complexity

This makes the vulnerability especially dangerous in enterprise and data center environments.

Active Exploitation Confirmed

Although VMware patched the flaw in June 2024, both CISA and Broadcom have now confirmed that attackers are actively exploiting it in real-world attacks.

Broadcom updated its advisory to warn customers that exploitation has already occurred, reinforcing the urgency of patching exposed systems.

CISA Mandate and Deadline

After adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog, CISA ordered Federal Civilian Executive Branch agencies to remediate affected systems by February 13 under Binding Operational Directive 22-01.

CISA warned that vulnerabilities of this type are frequently abused by threat actors and represent a significant risk to government and enterprise infrastructure.

No Workarounds Available

There are no mitigations or workarounds for CVE-2024-37079. Organizations must apply the latest security updates for:

• VMware vCenter Server
• VMware Cloud Foundation

Systems that cannot be patched should be taken offline.

Why This Matters for Organizations

vCenter Server acts as a central control plane for virtual machines and ESXi hosts. A successful compromise could allow attackers to:

• Take control of virtual infrastructure
• Deploy malware at scale
• Access sensitive workloads
• Disrupt business operations

Given VMware’s widespread use across enterprises, cloud providers, and government agencies, this vulnerability presents a high-impact attack surface.

Ongoing VMware Targeting

This is not an isolated incident. Over the past year, multiple VMware vulnerabilities have been actively exploited, including flaws in VMware Aria Operations, NSX, and VMware Tools.

Security teams are strongly advised to treat VMware infrastructure as high-priority attack targets.