vCenter CVE-2024-37079 enables RCE

VMware vCenter is the management plane for a lot of virtual infrastructure — the box that admins use to control clusters, hosts, and workloads. That makes a vCenter remote-code-e(support.broadcom.com)nkle is not that the flaw exists — Broadcom patched it on June 17, 2024 — but that Broadcom updated the advisory in January 2026 to say CVE-2024-37079 has been exploited in the wild, and CISA moved it into the Known Exploited Vulnerabilities catalog the same day. (support.broadcom.com) ### What is CVE-2024-37079? It is a critical memory-corruption bug in v(nvd.nist.gov)dows-style services use for remote procedure calls. NVD classifies it as an out-of-bounds write, while Broadcom describes the issue as one of multiple heap-overflow flaws in the same code path. The practical point is simpler than the taxonomy — a crafted network packet can corrupt memory inside vCenter and potentially turn that into code execution. (support.broadcom.com) ### Why is vCenter the scary target? Because vCenter is not just another app server. It is the contr(support.broadcom.com) there, the blast radius can extend well beyond one appliance — into the virtual estate that appliance manages. That is why a bug with network reach and no required authentication gets treated as an emergency. (support.broadcom.com) ### Does the attacker need credentials? No. The vendor and NVD both say network access is enough, with no privileges and no user interaction(support.broadcom.com)d no login needed.” Basically, if an attacker can talk to the vulnerable service, the door may already be open. (support.broadcom.com) ### What changed in 2026? Broadcom revised VMSA-2024-0012 on January 23, 2026 and added a blunt note: it has information suggesting exploitation of CVE-2024-37079 in the wild. CISA then added the fl(support.broadcom.com)l Directive 22-01. That move matters because KEV is not a generic watchlist — it is CISA’s “this is being used” list. (support.broadcom.com) ### Which versions got fixes? Broadcom shipped fixes on June 17, 2024. For vCenter 8.0, Update 1e resolves CVE-2024-37079 and CVE-2024(support.broadcom.com)081. If you are on builds older than those fixed releases — or on unsupported versions that never received them — you should assume exposure until proven otherwise. (techdocs.broadcom.com) ### Is there a workaround? Not a real one. Broadcom says it investigated in-product wor(support.broadcom.com)make sure the management interface is not broadly exposed — but those are risk reducers, not substitutes for the fix. (support.broadcom.com) ### Why does the wording matter so much? Because “heap overflow,” “out-of-bounds write,” and “crafted packet” can sound abstract. Think of it as sending vCenter an input that makes (techdocs.broadcom.com)ructure RCEs — rare, high-value, and worth immediate attention. (support.broadcom.com) ### Bottom line This is now an active-exploitation vCenter bug, not just an old advisory sitting in a backlog. If a vCenter server is still unpatched, especially one reachable from untrusted networks, the right timeline is “now,” not “next maintenance window.” (support.broadcom.com)