CISA Alerts Organizations as Ransomware Gangs Actively Exploit Critical VMware ESXi and vCenter Flaw

CyberDefender 8 mins0

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent cybersecurity alert after finding that a recently disclosed critical VMware vulnerability affecting vCenter Server and underlying ESXi hosts is being actively exploited by attackers — including ransomware threat actors — in real-world attacks. Organizations running virtualized environments are being urged to patch immediately or risk full compromise of their virtual infrastructure.

What’s Happening: Exploitation in the Wild

CISA added the flaw, tracked as CVE-2024-37079, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that attackers are weaponizing the bug rather than merely scanning for systems.

This vulnerability exists in Broadcom’s VMware vCenter Server, the central management platform used to control VMware ESXi hypervisors and virtual machines. A successful exploit lets a remote unauthenticated attacker send a specially crafted network packet to trigger a heap-overflow condition in the Distributed Computing Environment/Remote Procedure Call (DCE/RPC) protocol implementation — leading to remote code execution on the management plane.

Critically, once attackers have RCE on vCenter, they can pivot laterally into underlying ESXi hosts, disable security controls, compromise backups, and position ransomware payloads to encrypt virtual machines and datastores — effectively gaining full control over the virtual infrastructure.

Technical Risk and Impact

CVE-2024-37079 Overview

  • Product: VMware vCenter Server (affecting versions 7.0 & 8.0, including VMware Cloud Foundation)
  • Vulnerability Type: Out-of-bounds write in DCE/RPC protocol
  • Severity: Critical (CVSS base score: 9.8)
  • Access Complexity: Low (no authentication or user interaction required)
  • Exploitability: High — network reachable attackers can trigger RCE
  • Status: Actively exploited in the wild and added to CISA KEV catalog

This flaw reflects a classic remote heap-overflow vulnerability. The attacker crafts network traffic that causes internal memory corruption in vCenter’s RPC service, granting arbitrary code execution at high privileges. Given vCenter’s role as a management plane, exploiting this bug essentially hands over administrative control of the entire virtualization environment to an attacker.

Connection to VMware ESXi Attacks and Ransomware Trends

While much of the recent alerting has focused on vCenter Server, the ramifications extend to VMware ESXi hypervisors, which host virtual machines. Attackers are known to abuse associated ESXi vulnerabilities as well, including zero-day bugs disclosed in March 2025 (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) that allow VM escape and arbitrary code execution on the hypervisor itself — overwhelmingly attractive targets for ransomware groups and other malicious actors.

Prior campaigns such as ESXiArgs and other malware targeting VMware virtualization platforms have already demonstrated how effective such attacks can be: encryption of virtual machine configuration and datastore files brings entire infrastructures to a halt.

Additionally, advanced persistent threats (APTs) have deployed sophisticated backdoors like BRICKSTORM and related implants into VMware vCenter/ESXi platforms for long-term stealthy access — highlighting that both criminal and state-linked actors are increasingly eyeing virtualization environments.

Why This Matters for Security

Virtual infrastructures like VMware’s are foundations of enterprise IT — hosting everything from business applications and databases to backups and domain controllers. Compromise of these systems can effectively mean compromise of the entire enterprise.

The combination of:

  • A publicly exploitable critical RCE bug (CVE-2024-37079)
  • Evidence of active exploitation
  • The central administrative role of vCenter

makes this one of the most serious virtualization-related security incidents in recent memory.

Attackers rarely need to chain many conditions — the bug can be triggered over the network without authentication or user interaction, and the potential impact includes full infrastructure takeover and ransomware deployment.

Mitigations and Response Actions

Immediate Remediation

  • Apply VMware patches: VMware released fixes in June 2024 — organizations that have not updated should do so immediately, prioritizing vCenter Server and associated Cloud Foundation versions.
  • Isolate management interfaces: Limit or block external network access to vCenter and ESXi management ports to reduce attack surface.
  • Network segregation: Separate management planes from general IT networks and apply strict filtering.
  • Monitor for exploitation indicators: Look for anomalous traffic to the DCE/RPC service and unexpected administrative connections to vCenter.

Long-Term Hardening

  • Regular patch management: Ensure patch cycles for virtualization platforms are treated as critical — unpatched systems are proven ransomware vectors.
  • Backup validation: Maintain offline, immutable backups of virtual machines to reduce ransomware impact.
  • Threat hunting: Use telemetry to detect scanning or exploit attempts against known KEV entries.

Conclusion

The active exploitation of VMware’s critical vulnerability underscores a broader trend in ransomware and virtualization security: attackers will prioritize any flaw that gives them a foothold in the core infrastructure layer. Virtualization platform vulnerabilities such as CVE-2024-37079 are not just bugs they can exploit — they are gates to complete compromise.

Organizations that operate VMware environments must take immediate steps to patch and harden their systems. Failure to do so could rapidly escalate from a network intrusion to full-scale ransomware encryption, data theft, and prolonged operational breakdown.

CyberDefender