This vulnerability has been officially added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. This high-severity vulnerability has received significant attention after the government’s warning of its potential for widespread exploitation, given it a CVSS score of 9.8. Independent researchers Hao Zheng and Zibo Li from the Chinese cybersecurity firm QiAnXin LegendSec made a huge find. They discovered CVE-2024-37079 which is a heap overflow in the implementation of the DCE/RPC protocol.
CVE-2024-37079 enables bad actors that have network-level access to an exploitable vCenter Server to obtain RCE. An attacker could exploit this vulnerability by sending a crafted network packet. This action dramatically increases potential security risks for the systems or networks removed. Broadcom patched this vulnerability in June 2024, and the release of these fixes has widely mitigated the threat.
Details of the Vulnerability
The vulnerability itself was one of four problems discovered in the DCE/RPC service. This affects three separate heap overflows and one privilege escalation vulnerability. Of these, CVE-2024-37080 also internal to the Apache HTTP Server indicates a heap overflow that could likewise allow for remote code execution. Both vulnerabilities were patched by Broadcom in June 2024, demonstrating the need for quick action on these security vulnerabilities.
Furthermore, two other CVEs—CVE-2024-38812 and CVE-2024-38813—were patched by Broadcom in September 2024. Importantly, at least one of the heap overflow vulnerabilities can be chained with the privilege escalation vulnerability CVE-2024-38813 that has already been reported. This chaining would allow for unauthorized remote root access, giving attackers the ability to take over ESXi environments.
Evidence of Exploitation
Broadcom has expressed the belief, based on their information, that exploitation of CVE-2024-37079 may have already occurred in the wild. The discovery of this vulnerability is not just an interesting story. Organizations need to move quickly to protect their systems from attack.
CISA recently added CVE-2024-37079 to its KEV catalog. This is an important wake-up call for all organizations using VMware vCenter Server to prioritize patching and actively monitor for indicators of possible exploitation. In the field, the agency documented widespread exploitation still taking place. They highlighted the critical need for consumers to implement the required changes.
“Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild,” – Broadcom
Presentation at Black Hat Asia
These vulnerabilities, CVE-2024-37079 included, were demonstrated at the Black Hat Asia security conference in April 2025. This presentation brought to life the stark reality of these insidious, dangerous vulnerabilities. It called on consensus-building organizations to lead in taking preventative steps that would protect their hard-earned infrastructure.
