CISA has added CVE-2024-37079 to its list of "active threats."
Attackers continue to exploit a critical vulnerability in VMware vCenter Server , despite a patch being released over a year ago. Broadcom has confirmed that the bug is already being exploited in real-world attacks, and US regulators have officially added it to the list of actively exploited vulnerabilities.
The vulnerability in question is CVE-2024-37079 . This is an out-of-bounds write vulnerability in the DCERPC protocol implementation in vCenter Server. The vulnerability has a CVSS score of 9.8 out of 10, placing it at the highest severity level. DCERPC is used for remote procedure and service calls over the network, meaning it allows one system component to execute commands on another node. In this case, the bug allows an attacker with network access to the virtualization management server to send specially crafted packets and achieve remote code execution.
Simply put, with access to the network where vCenter Server is running, an attacker has the opportunity to gain complete control over the virtual infrastructure management system.
In an update to its security bulletin on June 18, 2024, Broadcom reported that it had evidence of CVE-2024-37079 being exploited "in the wild"—that is, in real-world attacks, not just in lab tests. That same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, a list of vulnerabilities already being exploited by attackers.
Being included in the KEV means that US federal agencies are required to patch the vulnerability. The deadline for them to install the patch is February 13. However, the Broadcom update itself, which addresses CVE-2024-37079, was released over a year and a half ago, and June 2024 was considered the optimal time to install it.
Neither Broadcom nor CISA disclosed details about the scale of the attacks. The KEV catalog lists the exploitation of the vulnerability in ransomware campaigns as "unknown." There is also no information about the specific groups behind the vulnerability or the specific attack scenarios used. Broadcom did not respond to journalists' inquiries about the nature of the exploitation.
Analysts note that virtualization infrastructure has long been the focus of both cybercriminal groups and nation-state hackers. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that a previous vulnerability in the DCERPC component of vCenter Server , CVE-2023-34048, had already been exploited by at least three known Chinese-linked groups: Fire Ant, Warp Panda, and UNC3886.
According to her, it's not unusual for attackers to actively exploit vulnerabilities that were previously published. Details of CVE-2024-37079 have been publicly available for over a year, and such information is regularly used in new attacks, including by nation-state actors. Condon also notes that vCenter Server shouldn't be accessible from the public internet. Therefore, the most likely scenario is that the attackers already had initial access to the victim's infrastructure and used the vulnerability to further their attack and expand their control within the network.
In fact, the situation once again boils down to a fundamental cybersecurity problem : a critical vulnerability with a ready-made patch remains unpatched for months and years, after which it begins to be used in real attacks, affecting corporate virtual infrastructure management systems.
Attackers continue to exploit a critical vulnerability in VMware vCenter Server , despite a patch being released over a year ago. Broadcom has confirmed that the bug is already being exploited in real-world attacks, and US regulators have officially added it to the list of actively exploited vulnerabilities.
The vulnerability in question is CVE-2024-37079 . This is an out-of-bounds write vulnerability in the DCERPC protocol implementation in vCenter Server. The vulnerability has a CVSS score of 9.8 out of 10, placing it at the highest severity level. DCERPC is used for remote procedure and service calls over the network, meaning it allows one system component to execute commands on another node. In this case, the bug allows an attacker with network access to the virtualization management server to send specially crafted packets and achieve remote code execution.
Simply put, with access to the network where vCenter Server is running, an attacker has the opportunity to gain complete control over the virtual infrastructure management system.
In an update to its security bulletin on June 18, 2024, Broadcom reported that it had evidence of CVE-2024-37079 being exploited "in the wild"—that is, in real-world attacks, not just in lab tests. That same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, a list of vulnerabilities already being exploited by attackers.
Being included in the KEV means that US federal agencies are required to patch the vulnerability. The deadline for them to install the patch is February 13. However, the Broadcom update itself, which addresses CVE-2024-37079, was released over a year and a half ago, and June 2024 was considered the optimal time to install it.
Neither Broadcom nor CISA disclosed details about the scale of the attacks. The KEV catalog lists the exploitation of the vulnerability in ransomware campaigns as "unknown." There is also no information about the specific groups behind the vulnerability or the specific attack scenarios used. Broadcom did not respond to journalists' inquiries about the nature of the exploitation.
Analysts note that virtualization infrastructure has long been the focus of both cybercriminal groups and nation-state hackers. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that a previous vulnerability in the DCERPC component of vCenter Server , CVE-2023-34048, had already been exploited by at least three known Chinese-linked groups: Fire Ant, Warp Panda, and UNC3886.
According to her, it's not unusual for attackers to actively exploit vulnerabilities that were previously published. Details of CVE-2024-37079 have been publicly available for over a year, and such information is regularly used in new attacks, including by nation-state actors. Condon also notes that vCenter Server shouldn't be accessible from the public internet. Therefore, the most likely scenario is that the attackers already had initial access to the victim's infrastructure and used the vulnerability to further their attack and expand their control within the network.
In fact, the situation once again boils down to a fundamental cybersecurity problem : a critical vulnerability with a ready-made patch remains unpatched for months and years, after which it begins to be used in real attacks, affecting corporate virtual infrastructure management systems.