Patch or die: VMware vCenter Server bug fixed in 2024 under attack today
(2026/01/23)
- Reference: 1769205853
- News link: https://www.theregister.co.uk/2026/01/23/critical_vmware_vcenter_server_bug/
- Source link:
You've got to keep your software updated. Some unknown miscreants are exploiting a critical VMware vCenter Server bug more than a year after Broadcom patched the flaw.
The vulnerability, tracked as [1]CVE-2024-37079 , is an out-of-bounds write flaw in vCenter Server's implementation of the DCERPC protocol that earned a 9.8 out of 10 CVSS rating. In other words: it's almost as bad as it gets.
DCERPC, which stands for [2]Distributed Computing Environment/Remote Procedure Calls , allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution, and on Friday, both the vendor and the feds warned that this - or something along these lines - is happening.
[3]
"Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild," the vendor [4]warned in an update to its June 18, 2024 security advisory.
[5]
[6]
Also on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) [7]added this critical security hole to its [8]Known Exploited Vulnerabilities (KEV) Catalog . This means federal agencies must patch the flaw by February 13 - again, we must note that Broadcom issued a software update that [9]fixes this CVE more than a year and a half ago, and June 2024 would have been the optimal time to deploy the patch.
CISA's KEV lists the bug's use in ransomware campaigns as "unknown," and Broadcom didn't provide any details about the scope of exploitation, or respond to The Register 's inquiries about CVE-2024-37079's abuse. We'll update this story as we learn more about who is abusing this flaw, and what they are doing with the illicit access to enterprises' vCenter Servers.
[10]VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug
[11]Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
[12]Fortinet admits FortiGate SSO bug still exploitable despite December patch
[13]ShinyHunters claims Okta customer breaches, leaks data belonging to 3 orgs
VulnCheck VP of security research Caitlin Condon told The Register that virtualization infrastructure - including Broadcom's vCenter Server - is a favorite target for both government-backed hackers and financially motivated cybercriminals.
"As an example, [14]CVE-2023-34048 , a prior vulnerability in vCenter Server's DCERPC protocol, was exploited by at least [15]three known China-nexus threat actors (Fire Ant, Warp Panda, and UNC3886)," Condon said.
[16]
Condon said she's not surprised to see the bug being exploited by attackers considering [17]details about the vulnerability have been public for more than a year.
"It's common to see threat actors - including state-sponsored groups - opportunistically leveraging even older public vulnerability information to conduct new attacks, so it's not terribly surprising that the vulnerability has seen exploitation in the wild," she said.
"While there are no immediate details on threat actor attribution or attacker behavior, vCenter Server should never, ever be exposed to the public internet, so it's likely the adversary already had a foothold in the victim environment," Condon added. ®
Get our [18]Tech Resources
[1] https://www.cve.org/CVERecord?id=CVE-2024-37079
[2] https://en.wikipedia.org/wiki/DCE/RPC
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.cisa.gov/news-events/alerts/2026/01/23/cisa-adds-one-known-exploited-vulnerability-catalog
[8] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[9] https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/
[10] https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/
[11] https://www.theregister.com/2024/01/20/chinese_russia_vmware_microsoft/
[12] https://www.theregister.com/2026/01/23/fortinet_fortigate_patch/
[13] https://www.theregister.com/2026/01/23/shinyhunters_claims_okta_customer_breaches/
[14] https://www.theregister.com/2024/01/20/chinese_russia_vmware_microsoft/
[15] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.zerodayinitiative.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-integer-underflow-code-execution-vulnerability
[18] https://whitepapers.theregister.com/
The vulnerability, tracked as [1]CVE-2024-37079 , is an out-of-bounds write flaw in vCenter Server's implementation of the DCERPC protocol that earned a 9.8 out of 10 CVSS rating. In other words: it's almost as bad as it gets.
DCERPC, which stands for [2]Distributed Computing Environment/Remote Procedure Calls , allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution, and on Friday, both the vendor and the feds warned that this - or something along these lines - is happening.
[3]
"Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild," the vendor [4]warned in an update to its June 18, 2024 security advisory.
[5]
[6]
Also on Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) [7]added this critical security hole to its [8]Known Exploited Vulnerabilities (KEV) Catalog . This means federal agencies must patch the flaw by February 13 - again, we must note that Broadcom issued a software update that [9]fixes this CVE more than a year and a half ago, and June 2024 would have been the optimal time to deploy the patch.
CISA's KEV lists the bug's use in ransomware campaigns as "unknown," and Broadcom didn't provide any details about the scope of exploitation, or respond to The Register 's inquiries about CVE-2024-37079's abuse. We'll update this story as we learn more about who is abusing this flaw, and what they are doing with the illicit access to enterprises' vCenter Servers.
[10]VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug
[11]Russians invade Microsoft exec mail while China jabs at VMware vCenter Server
[12]Fortinet admits FortiGate SSO bug still exploitable despite December patch
[13]ShinyHunters claims Okta customer breaches, leaks data belonging to 3 orgs
VulnCheck VP of security research Caitlin Condon told The Register that virtualization infrastructure - including Broadcom's vCenter Server - is a favorite target for both government-backed hackers and financially motivated cybercriminals.
"As an example, [14]CVE-2023-34048 , a prior vulnerability in vCenter Server's DCERPC protocol, was exploited by at least [15]three known China-nexus threat actors (Fire Ant, Warp Panda, and UNC3886)," Condon said.
[16]
Condon said she's not surprised to see the bug being exploited by attackers considering [17]details about the vulnerability have been public for more than a year.
"It's common to see threat actors - including state-sponsored groups - opportunistically leveraging even older public vulnerability information to conduct new attacks, so it's not terribly surprising that the vulnerability has seen exploitation in the wild," she said.
"While there are no immediate details on threat actor attribution or attacker behavior, vCenter Server should never, ever be exposed to the public internet, so it's likely the adversary already had a foothold in the victim environment," Condon added. ®
Get our [18]Tech Resources
[1] https://www.cve.org/CVERecord?id=CVE-2024-37079
[2] https://en.wikipedia.org/wiki/DCE/RPC
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.cisa.gov/news-events/alerts/2026/01/23/cisa-adds-one-known-exploited-vulnerability-catalog
[8] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[9] https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/
[10] https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/
[11] https://www.theregister.com/2024/01/20/chinese_russia_vmware_microsoft/
[12] https://www.theregister.com/2026/01/23/fortinet_fortigate_patch/
[13] https://www.theregister.com/2026/01/23/shinyhunters_claims_okta_customer_breaches/
[14] https://www.theregister.com/2024/01/20/chinese_russia_vmware_microsoft/
[15] https://www.theregister.com/2024/03/27/surge_in_enterprise_zero_days
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aXP9kSxKUgfwiUgmI0xgygAAAkk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[17] https://www.zerodayinitiative.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-integer-underflow-code-execution-vulnerability
[18] https://whitepapers.theregister.com/
Re: Free C&D for you!
retiredFool
Reuters is reporting Fidelity just dropped its suit against Broadcom over access to VMWare. Details were not disclosed. I expect BCom may have caved on this one. I'm not sure I'd want what may be the largest shark in the tank to come after me. Report said Fid has 17.5T in customer assets. That is almost 1/2 the total US debt they are the custodian of. I use em, and I know most do. Imagine what their managers could do to you if you crossed them. Be ashame if your stock cratered because our mutual funds sold all their BRCM. Or that secondary offering you wanted to do, good luck finding buyers.
Free C&D for you!
Not mentioned, the Cease and Desist letter for having it installed after your maintenance is expired, even if you were under maintenance at the time
And you can't download it now unless you've paid the 10x price hike for the features you don't want or can't use.