Actively Exploited VMware vCenter Vulnerability Added to CISA KEV List
U.S. cybersecurity authorities have escalated the risk status of a critical VMware vCenter Server vulnerability after confirming active exploitation in real environments.
The flaw, tracked as CVE-2024-37079, affects Broadcom VMware vCenter Server and allows remote code execution over the network under specific conditions. Although a fix was released in mid-2024, recent updates confirm that the vulnerability is now being abused in the wild.
What Changed
The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Inclusion in this list signals that exploitation is no longer theoretical and that unpatched systems are at elevated risk.
KEV entries are used by U.S. federal agencies and many enterprises worldwide as a prioritization mechanism for patching and risk reduction.
Technical Overview
CVE-2024-37079 is caused by improper memory handling in the DCE/RPC service within vCenter Server. A specially crafted network request can trigger a heap overflow, potentially allowing an attacker with network access to execute arbitrary code.
Security research has shown that this flaw is part of a broader vulnerability cluster affecting the same service. In some attack scenarios, similar issues can be chained with privilege escalation weaknesses to gain full administrative control over virtualized infrastructure.
Why vCenter Is a High-Value Target
vCenter Server is a central management component for virtual environments. Compromise at this layer can expose:
ESXi hosts
Virtual machines
Backup and recovery systems
Management credentials and automation pipelines
This makes vCenter vulnerabilities especially attractive for ransomware operators and advanced intrusion campaigns.
Exploitation Status
While public details about the attackers or exploitation methods remain limited, Broadcom has confirmed evidence of real-world abuse. As a result, remediation timelines have shifted from “recommended” to “urgent.”
For U.S. federal agencies, patching is now mandatory within defined timelines. For all other organisations, KEV inclusion should be treated as a strong signal to prioritize updates immediately.
DIAMATIX Perspective
From a DIAMATIX perspective, this case reinforces a recurring pattern. Vulnerabilities in virtualization and management layers often remain exposed long after patches are available, creating long-lived attack windows.
KEV inclusion highlights that risk should be assessed not by patch release date, but by exploitation status and asset criticality. Systems that control infrastructure require accelerated patch cycles, continuous monitoring, and restricted exposure.
Trusted · Innovative · Vigilant
Sources
CISA. Known Exploited Vulnerabilities (KEV) Catalog
Broadcom VMware Security Advisory for CVE-2024-37079
Black Hat Asia 2025. Research on DCE/RPC vulnerabilities in VMware
Independent vulnerability analysis and disclosure records
