THE Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability CVE-2024-37079, a VMware vCenter Server flaw, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active weaponisation against enterprise networks. The flaw carries a CVSS score of 9.8 and is described as an Out-of-bounds Write or heap-overflow vulnerability in the DCERPC protocol implementation, with an attack possible when a malicious actor sends a specially crafted network packet to a vulnerable vCenter Server.
If exploited, it enables Remote Code Execution without requiring a password or prior authentication. Broadcom had previously resolved the issue in June 2024 alongside CVE-2024-37080, and patches have existed for more than a year, yet Broadcom’s advisory has now been updated to reflect in-the-wild abuse. CISA notes that while the specific threat actors and scale remain murky, the confirmation of active exploitation changes the defender’s calculus, and federal agencies are urged to remediate by 13 February 2026.