The Cybersecurity and Infrastructure Security Agency (CISA) on Jan. 23 added a critical VMware vCenter Server remote code execution (RCE) law exploited in the wild to its Knowns Exploited Vulnerabilities (KEV) catalog.Originally patched in 2024, the 9.8 bug — CVE-2024-37079 — lets attackers exploit a heap overflow weakness in the DCE/RPC protocol implementation of vCenter Server, a platform that lets admins manage Broadcom’s VMware ESXi hosts and virtual machines.DCE/RPC stands for Distributed Computing Environment/Remote Procedure Calls, a protocol that’s used in VMware vCenter Server for inter-process communication for services such as certificate management, directory services, and authentication. When flaws get exploited by attackers, it can lead to an RCE.“A successful RCE on a vCenter Server is potentially more devastating than an Okta breach, as it grants attackers ‘virtual physical access’ to all servers, databases, and applications within the environment without specific privileges or user interaction,” said Damon Small, a board member at Xcape, Inc.Small said by leveraging this heap overflow within the DCE/RPC protocol, threat actors can move laterally from the management plane to hypervisors, allowing them to disable security measures, compromise backups, and encrypt entire datastores at the hardware level.“Organizations must immediately identify all vCenter instances, segregate management interfaces from public internet access, implement the latest Broadcom patches addressing the full DCE/RPC vulnerability set from 2024, and closely monitor for any unusual activity or configuration changes related to vCenter and ESXi,” said Small.
Related reading:
Shane Barney, chief information security officer at Keeper Security, said what makes vulnerabilities like CVE-2024-37079 particularly dangerous is that they let attackers operate through trusted administrative paths. Actions taken through a management platform often look legitimate, said Barney, which lets adversaries move at scale without triggering the kinds of alerts that come from attacking individual systems.“The three-week window under BOD 22-01 reinforces how seriously this class of risk is treated in government,” said Barney. “Patching is mandatory, but it shouldn’t be the only response. Management systems need to be treated as highly-privileged assets secured by a privileged access management solution, with strict limits on who can access them, how they’re reached and what they’re allowed to do.”Mayuresh Dani, security research manager, at the Qualys Threat Research Unit, pointed out that Broadcom patched CVE-2024-37079 in June 2024, yet CISA confirmed active exploitation almost 19 months later in January 2026, a substantial delay.Dani underscored that CVE-2024-37079 becomes even more critical when combined with a four-flaw cluster affecting the DCE/RPC protocol implementation: CVE-2024-37079, CVE-2024-37080, CVE-2024-38812, CVE-2024-38813. VMware customers should do the following:
- Audit and patch all vCenter Server instances.
- Monitor vCenter logs for unexpected DCE/RPC protocol errors and failed authentication attempts from unusual source IPs.
- Consider air-gapping vCenter management network or deploy network segmentation from production networks.
- Adopt a zero-trust architecture for management plane access.
- Implement hardware security modules (HSMs) or encrypted key management for vCenter.
- Develop procedures for rapid vCenter rebuild from clean installation media.
