CVE-2024-37079, a critical vulnerability affecting VMware vCenter Server, has been added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA).
This addition confirms that the vulnerability is actively exploited in real-world attacks, significantly increasing its risk profile. Organizations running affected VMware products should treat this as an immediate remediation priority, not routine patching.
What Is CVE-2024-37079?
CVE-2024-37079 is a heap-overflow vulnerability in VMware vCenter Server, specifically within its DCERPC (Distributed Computing Environment / Remote Procedure Call) implementation. Due to improper memory handling, a specially crafted network request can corrupt memory on the vCenter Server.
In practical terms, this flaw allows an attacker to exploit vCenter remotely by sending malicious network traffic, potentially leading to remote code execution (RCE). The vulnerability does not require authentication, which significantly lowers the barrier to exploitation.
Affected Products
The vulnerability impacts core VMware infrastructure components, including:
- VMware vCenter Server (7.x and 8.x branches)
- VMware Cloud Foundation environments that rely on vulnerable vCenter versions
Because vCenter Server sits at the heart of VMware-managed virtual environments, compromise can cascade into control over hypervisors, virtual machines, storage, and networking components.
Severity and Risk Profile
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network-based
- Privileges Required: None
- User Interaction: None
- Exploit Maturity: Active exploitation confirmed
A critical CVSS score combined with active exploitation places CVE-2024-37079 in the highest risk category. Attackers do not need valid credentials or local access — only network reachability to the vCenter service.
What Does “Added to CISA KEV” Actually Mean?
CISA’s KEV catalog is not a general vulnerability list. A CVE is only added when there is verified evidence of exploitation in the wild. This means:
- Threat actors are actively using this vulnerability
- Exploit code is functional and effective
- Organizations are already being compromised
For U.S. federal civilian agencies, KEV inclusion creates a mandatory remediation timeline under Binding Operational Directives. For everyone else, KEV status is a strong signal that patching can no longer be delayed without real risk.
Real-World Impact
Successful exploitation of CVE-2024-37079 can allow attackers to:
- Execute arbitrary code on the vCenter Server
- Gain administrative-level control over VMware infrastructure
- Deploy persistent backdoors
- Move laterally to ESXi hosts and virtual machines
- Disrupt operations or exfiltrate sensitive data
In observed attack chains, vulnerabilities like this are often paired with privilege escalation or credential theft flaws to achieve full environment compromise.
Exploitation Status
CISA’s KEV designation confirms active exploitation, even though technical details of specific campaigns have not been fully disclosed publicly. Historically, once VMware vCenter vulnerabilities reach this stage, they tend to be:
- Rapidly weaponized
- Used by both advanced threat actors and opportunistic attackers
- Integrated into automated scanning and exploitation frameworks
Given vCenter’s prevalence in enterprise and cloud environments, it remains a high-value target.
Mitigation and Remediation
Patching is the only effective mitigation. VMware has stated there are no viable in-product workarounds for CVE-2024-37079.
Recommended actions include:
- Apply VMware security updates immediately
Upgrade to fixed versions such as:- vCenter Server 8.0 U2d
- vCenter Server 8.0 U1e
- vCenter Server 7.0 U3r
(Exact version depends on deployment)
- Restrict Network Access
Limit access to vCenter services to trusted management networks only. - Monitor for Indicators of Compromise
Review logs, authentication events, and unusual process execution on vCenter appliances. - Treat as Incident-Response Adjacent
Because exploitation is confirmed, organizations should consider basic threat-hunting or forensic review after patching.
Why This Is Especially Dangerous
vCenter Server is a control plane system. Unlike application servers, its compromise can undermine the entire virtualization stack. An attacker who controls vCenter effectively controls:
- Virtual machine lifecycle
- Snapshots and backups
- Network segmentation
- Resource allocation
- Administrative credentials
That makes vulnerabilities like CVE-2024-37079 disproportionately impactful compared to typical server flaws.
The addition of CVE-2024-37079 to the CISA KEV catalog marks a clear escalation in risk. This is no longer about hypothetical exposure — attackers are exploiting this vulnerability right now.
Organizations running VMware environments should:
- Patch immediately
- Assume exposure until proven otherwise
- Prioritize this over non-KEV vulnerabilities
