The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially placed a critical vulnerability affecting Broadcom VMware vCenter Server on its radar, adding CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog. This move, made on January 24, 2026, follows evidence of the flaw being actively exploited in the wild. The vulnerability, which was patched by Broadcom in June 2024, carries a severe CVSS score of 9.8, indicating a high risk to enterprise security.
The critical security flaw, CVE-2024-37079, resides within the implementation of the DCE/RPC protocol in VMware vCenter Server. Threat actors equipped with network access to the affected servers can exploit a heap overflow vulnerability to achieve remote code execution. This means attackers could potentially run malicious code on vulnerable systems without any prior authentication, posing a significant threat to organizations relying on VMware’s virtualization management platform.
Critical VMware vCenter Vulnerability Under Active Exploitation
The discovery of CVE-2024-37079 and a related vulnerability, CVE-2024-37080, is credited to researchers Hao Zheng and Zibo Li from Chinese cybersecurity firm QiAnXin LegendSec. Both identified issues stem from heap overflows within the DCE/RPC protocol’s implementation, with both flaws allowing for remote code execution. Broadcom addressed these vulnerabilities through security updates released in June 2024, urging customers to apply the patches promptly.
Further research presented at the Black Hat Asia security conference in April 2025 revealed that these two vulnerabilities are part of a larger set of four discovered in the DCE/RPC service. This set includes three heap overflow vulnerabilities and one privilege escalation flaw. The remaining vulnerabilities, CVE-2024-38812 and CVE-2024-38813, were patched by Broadcom in September 2024.
Of particular concern, the researchers highlighted the potential for chaining certain vulnerabilities. Specifically, one of the heap overflow flaws could be combined with the privilege escalation vulnerability (CVE-2024-38813). This combination could empower an attacker to achieve unauthorized remote root access, and ultimately, gain complete control over the underlying ESXi hypervisor, the foundation of VMware’s virtualization infrastructure.
Implications for Enterprise Security and Patching Deadlines
While the exact methods of exploitation for CVE-2024-37079 remain undisclosed, and it is currently unknown if specific threat actor groups are involved, Broadcom has officially confirmed reports of in-the-wild abuse. This confirmation by the vendor underscores the urgency for organizations to take action. CISA’s inclusion of this vulnerability in the KEV catalog signifies a heightened alert for government agencies and critical infrastructure providers.
In response to the active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must update their VMware vCenter Server systems to the latest patched versions by February 13, 2026. This deadline is crucial for ensuring optimal protection against ongoing threats. Organizations not designated as FCEB agencies are strongly advised to follow suit and prioritize patching this critical vulnerability to mitigate their risk exposure.
The ongoing exploitation of such foundational virtualization infrastructure software emphasizes the persistent threat landscape. As more sophisticated attack vectors emerge, maintaining robust patch management practices and staying informed about CISA’s KEV catalog are essential components of a comprehensive enterprise security strategy. The situation surrounding CVE-2024-37079 serves as a stark reminder of the need for continuous vigilance and proactive security measures in the complex world of IT infrastructure.