CISA says critical VMware RCE flaw now actively exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical VMware vCenter Server vulnerability as actively exploited and ordered federal agencies to secure their servers within three weeks.

Patched in June 2024, this security flaw (CVE-2024-37079) stems from a heap overflow weakness in the DCERPC protocol implementation of vCenter Server (a Broadcom VMware vSphere management platform that helps admins manage ESXi hosts and virtual machines).

Threat actors with network access to vCenter Server may exploit this vulnerability by sending a specially crafted network packet that can trigger remote code execution in low-complexity attacks that don’t require privileges on the targeted systems or user interaction.

There are no workarounds or mitigations for CVE-2024-37079, so Broadcom advised customers to apply security patches to the latest vCenter Server and Cloud Foundation releases as soon as possible.

On Friday, CISA added the vulnerability to its catalog of flaws exploited in the wild, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to secure vulnerable systems by February 13th, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

FCEB agencies are non-military U.S. executive branch agencies, such as the Department of State, the Department of Justice, the Department of Energy, and the Department of Homeland Security.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

The same day, Broadcom updated its original advisory and confirmed that it’s also aware that CVE-2024-37079 has been exploited in the wild.

“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild,” it cautioned.

In October, CISA also ordered U.S. government agencies to patch a high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Tools software, which Chinese hackers had been exploiting in zero-day attacks since October 2024.

Last year, Broadcom also released security patches to address two high-severity VMware NSX flaws (CVE-2025-41251 and CVE-2025-41252) reported by the U.S. National Security Agency (NSA) and fixed three other actively exploited VMware zero-days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by Microsoft.

Secrets Security Cheat Sheet: From Sprawl to Control

Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

Get the cheat sheet and take the guesswork out of secrets management.

Download Now