Imagine a critical security flaw in a widely used enterprise software, actively being exploited by hackers, yet many organizations remain unaware of the threat. That's the alarming reality of CVE-2024-37079, a vulnerability in Broadcom's VMware vCenter Server that has recently been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerabilities (KEV) catalog. But here's where it gets even more concerning: this isn't just a theoretical risk—CISA has confirmed evidence of active exploitation in the wild, making it a pressing issue for businesses and government agencies alike.
Discovered and reported by researchers Hao Zheng and Zibo Li from Chinese cybersecurity firm QiAnXin LegendSec, CVE-2024-37079 is a heap overflow vulnerability in the DCE/RPC protocol implementation. With a CVSS score of 9.8, it’s classified as critical, allowing a malicious actor with network access to execute remote code by sending a specially crafted packet. This flaw was patched by Broadcom in June 2024, alongside CVE-2024-37080, another heap overflow vulnerability in the same protocol. And this is the part most people miss: these vulnerabilities are part of a larger set of four flaws—three heap overflows and one privilege escalation—discovered in the DCE/RPC service, with the remaining two (CVE-2024-38812 and CVE-2024-38813) patched in September 2024.
What makes CVE-2024-37079 particularly dangerous is its potential to be chained with the privilege escalation vulnerability (CVE-2024-38813), enabling unauthorized remote root access and control over ESXi systems. While it’s unclear how extensively this flaw is being exploited, who the attackers are, or the scale of the attacks, Broadcom has officially confirmed in-the-wild exploitation, stating, 'Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild.' This confirmation underscores the urgency for organizations to take immediate action.
In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are mandated to update to the latest version by February 13, 2026, to ensure optimal protection. But here’s the controversial question: Are organizations moving fast enough to patch these vulnerabilities, or are they leaving themselves exposed to potentially devastating attacks? With the stakes this high, it’s not just about compliance—it’s about safeguarding critical infrastructure from increasingly sophisticated threats.
What’s your take? Do you think organizations are prioritizing these patches adequately, or is there a dangerous lag in response? Let us know in the comments below. And if you found this article insightful, be sure to follow us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity updates.
