Patch or die: VMware vCenter Server bug fixed in 2024 under attack today

Steven

Patch or die: VMware vCenter Server bug fixed in 2024 under attack today

Summary

A critical out-of-bounds write vulnerability in VMware vCenter Server’s DCERPC implementation (CVE-2024-37079) with a CVSS score of 9.8 is being exploited in the wild. Broadcom issued a patch in June 2024, but attackers are now actively leveraging the flaw. The US CISA has added the bug to its Known Exploited Vulnerabilities (KEV) catalog and requires federal agencies to patch by 13 February 2026. Broadcom and CISA have warned of exploitation but provided limited public details about scope or attribution.

Key Points

  • CVE-2024-37079: an out-of-bounds write in vCenter Server’s DCERPC protocol, rated CVSS 9.8 (critical).
  • Broadcom released a fix in June 2024 — more than 18 months before current exploitation was reported.
  • CISA added the flaw to its KEV catalog on 23 January 2026, setting a federal patch deadline of 13 February 2026.
  • Broadcom says it has information suggesting in-the-wild exploitation; details about who is being targeted or what the attackers are doing remain sparse.
  • Experts note virtualisation infrastructure is a high-value target for both state-backed and financially motivated actors; similar DCERPC bugs were previously abused by China-linked groups.
  • Immediate mitigations: apply Broadcom’s June 2024 updates, ensure vCenter is never exposed to the public internet, and hunt for signs of prior footholds in your environment.

Content summary

The flaw allows an attacker with network access to send specially crafted packets to vCenter Server, potentially enabling remote code execution. Broadcom updated its advisory to say exploitation has occurred. CISA’s KEV listing forces federal timetables for remediation; however, Broadcom has not disclosed exploitation scope and did not provide comment to reporters. Security researchers warn that publicly available vulnerability details — even old ones — are often reused by attackers, so unpatched systems remain at risk.

Context and relevance

This is important because vCenter controls virtual infrastructure across many organisations; a compromise can let attackers move laterally and take control of critical assets. The incident underlines two persistent themes: (1) critical patches must be applied promptly, and (2) management interfaces like vCenter must be isolated from the internet. The situation also highlights how older disclosed bugs can be weaponised long after fixes are published, especially against targets with weak patching discipline.

Why should I read this

Short version: if you run vCenter and didn’t patch this in 2024, you’re basically inviting trouble. Patch now, lock down access, and hunt for signs of compromise — your virtual infrastructure is worth a lot to attackers.

Source

Source: https://www.theregister.com/2026/01/23/critical_vmware_vcenter_server_bug/