Critical VMware vCenter Flaw CVE-2024-37079 Added to CISA KEV After Active Exploitation
CISA confirms active exploitation of VMware vCenter Server heap overflow flaw CVE-2024-37079 (CVSS 9.8), urging immediate patching for federal agencies and enterprises.
Critical VMware vCenter Vulnerability Exploited in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37079, a critical heap overflow vulnerability in Broadcom VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation. The flaw, patched by VMware in June 2024, carries a CVSS score of 9.8, underscoring its severity.
Technical Details
CVE-2024-37079 is a heap-based buffer overflow vulnerability in VMware vCenter Server, a centralized management platform for VMware vSphere environments. The flaw arises from improper input validation, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems with elevated privileges. Successful exploitation could lead to full system compromise, including unauthorized access to sensitive data, lateral movement within networks, and deployment of additional malicious payloads.
VMware released patches for this vulnerability in June 2024 as part of its security advisory VMSA-2024-0012. The affected versions include:
- VMware vCenter Server 7.0 (all updates prior to 7.0 U3r)
- VMware vCenter Server 8.0 (all updates prior to 8.0 U2b)
Impact Analysis
The inclusion of CVE-2024-37079 in CISA’s KEV catalog signals a high-risk threat to federal agencies and private sector organizations. Under Binding Operational Directive (BOD) 22-01, U.S. federal civilian agencies are required to remediate the flaw by February 14, 2025, to mitigate potential breaches. However, CISA strongly urges all organizations, including state and local governments and critical infrastructure entities, to prioritize patching due to the flaw’s active exploitation.
Security researchers have observed threat actors leveraging this vulnerability to:
- Gain initial access to enterprise networks
- Escalate privileges to administrative levels
- Deploy ransomware, spyware, or backdoors
- Exfiltrate sensitive data
Recommendations
Security teams should take the following steps to mitigate risk:
- Apply Patches Immediately: Upgrade to the latest versions of VMware vCenter Server:
- 7.0 U3r or later
- 8.0 U2b or later
- Isolate Vulnerable Systems: If patching is not immediately feasible, restrict network access to vCenter Server instances to trusted IP addresses only.
- Monitor for Exploitation: Deploy intrusion detection/prevention systems (IDS/IPS) to detect anomalous activity, such as:
- Unusual authentication attempts
- Suspicious process execution
- Unexpected network connections
- Review Logs: Audit vCenter Server logs for signs of compromise, including:
- Failed login attempts
- Unauthorized configuration changes
- Unusual outbound traffic
- Follow CISA Guidance: Refer to CISA’s KEV catalog entry for additional mitigation strategies and indicators of compromise (IOCs).
Conclusion
CVE-2024-37079 represents a critical threat to organizations relying on VMware vCenter Server for virtualization management. With active exploitation confirmed, security teams must act swiftly to apply patches, monitor for malicious activity, and harden their environments against potential attacks. Failure to remediate could result in severe operational disruptions, data breaches, or ransomware incidents.