A critical security flaw in VMware vCenter Server has been exposed, and the threat is real! CISA has added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog, a move that highlights the urgency of the situation. This vulnerability, with a CVSS score of 9.8, is no joke—it allows attackers with network access to remotely execute code on the server by sending malicious packets.
But here's where it gets controversial: the vulnerability was actually patched back in June 2024 by Broadcom, along with another heap overflow issue (CVE-2024-37080). Researchers from QiAnXin LegendSec, Hao Zheng and Zibo Li, are credited with uncovering these flaws. However, the story doesn't end there. At the Black Hat Asia conference in 2025, these researchers revealed that CVE-2024-37079 is part of a larger problem. It's one of four vulnerabilities in the DCE/RPC service, including three heap overflows and a privilege escalation bug. And this is the part most people miss: these vulnerabilities can be chained together, allowing attackers to gain unauthorized remote root access and control over ESXi.
While the patch was released, the exploitation of CVE-2024-37079 continues, and the identity of the attackers remains unknown. Broadcom has confirmed active abuse of this vulnerability, emphasizing the need for immediate action. As a result, Federal Civilian Executive Branch (FCEB) agencies are mandated to update their systems by February 13, 2026, to stay protected.
The question remains: how widespread is this threat, and what other systems might be at risk? The urgency of this situation cannot be overstated, and it's a stark reminder of the constant battle against cyber threats. Stay tuned for further updates on this evolving story, and feel free to share your thoughts in the comments below. Is the response from Broadcom and CISA enough, or should more be done to address these vulnerabilities?
