A SecurityWeek report warns that a critical VMware vCenter Server flaw, tracked as CVE-2024-37079 with a CVSS of 9.8, can be exploited via crafted network packets to achieve remote code execution. The vulnerability is an out-of-bounds write in the DCERPC protocol implementation, with an overflow of heap memory caused by incorrect bounds checking during processing of network packets, allowing remote attackers with access to vCenter Server to execute arbitrary code.
According to CISA and Broadcom, the flaw has been added to the Known Exploited Vulnerabilities catalogue and patches were released in June 2024, with Broadcom later updating its advisory to note the bug’s abuse. Broadcom states that there is information to suggest exploitation in the wild, though there have not appeared to be public reports detailing in-the-wild attacks.
Federal agencies have three weeks to identify and patch affected vCenter deployments under Binding Operational Directive 22-01, and SecurityWeek urges organisations to review CISA’s KEV catalog and apply available fixes and mitigations.