CISA Flags Actively Exploited VMware vCenter RCE in KEV Catalog

by | Jan 26, 2026 | News

CISA Flags Actively Exploited VMware vCenter RCE in KEV Catalog

Post Views: 112




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Broadcom VMware vCenter Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed exploitation in the wild.

Key Details

  • CVE: CVE-2024-37079
  • Severity: CVSS 9.8 (Critical)
  • Impact: Unauthenticated remote code execution (RCE)
  • Component: vCenter Server DCE/RPC implementation
  • Patch Released: June 2024
  • KEV Added: January 2026
  • Deadline for FCEB Agencies: February 13, 2026

What’s the Issue?

CVE-2024-37079 is a heap overflow vulnerability in the DCE/RPC protocol handling within VMware vCenter Server. An attacker with network access can send a specially crafted packet to trigger memory corruption and execute arbitrary code on the target system.

Broadcom has now officially confirmed in-the-wild exploitation:

“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.”

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Part of a Larger Exploit Chain

Security researchers Hao Zheng and Zibo Li (QiAnXin LegendSec) revealed at Black Hat Asia 2025 that this flaw is part of a broader set of DCE/RPC vulnerabilities:

  • CVE-2024-37079 – Heap overflow (RCE) ✅ actively exploited
  • CVE-2024-37080 – Heap overflow (RCE)
  • CVE-2024-38812 – Heap overflow
  • CVE-2024-38813 – Privilege escalation

Notably, the researchers demonstrated that heap overflows can be chained with CVE-2024-38813 to achieve remote root access and full ESXi takeover, making this class of bugs especially dangerous in virtualized environments.

What’s Unknown

  • The identity of the threat actor(s)
  • The exploitation vector used in real-world attacks
  • The scale and targeting of ongoing campaigns

Trending: Cyber Kill Chain’s phases: Understanding the cycle of a cyber attack




Trending: Offensive Security Tool: APKScope

Required Action

  • Immediate patching is strongly recommended
  • Organizations running VMware vCenter Server should verify they are on a fully patched version
  • FCEB agencies must remediate by February 13, 2026, per KEV requirements

Why This Matters

vCenter is a high-value target—compromise can lead to:

  • Full control of virtualization infrastructure
  • ESXi host takeover
  • Lateral movement across critical workloads

This KEV addition signals real, ongoing risk, not theoretical exposure.

Trending: Node.js Fixes Critical DoS Flaw That Could Crash “Virtually Every Production App”

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Sources: thehackernews.com, cisa.gov/news-events/alerts/2026/01/23/cisa-adds-one-known-exploited-vulnerability-catalog

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This