CVE-2024-37079

What is VMware vCenter Server?

VMware vCenter Server is the centralized management platform for VMware vSphere virtualization environments. See CVE-2024-38812 for detailed product context. In summary: vCenter controls all virtual machines across an organization's VMware infrastructure, making it one of the highest-value targets in any enterprise environment. A compromised vCenter provides total control over the entire virtualized infrastructure — creating, deleting, or modifying any VM, exfiltrating data from running VMs via snapshots, and laterally moving to every workload. Nation-state actors and ransomware groups both prioritize vCenter access.

Overview

CVE-2024-37079 is an out-of-bounds write vulnerability (CWE-787) in VMware vCenter Server's DCERPC protocol implementation — the same protocol component as CVE-2024-38812 (September 2024), but discovered earlier. An attacker with network access to vCenter can send specially crafted DCERPC packets to trigger the out-of-bounds write, potentially achieving remote code execution without authentication. Published in June 2024 as part of VMSA-2024-0012 alongside the related CVE-2024-37080, the vulnerability was added to CISA's KEV catalog in January 2026 — a 19-month gap indicating that exploitation occurred long after the patch was available against the large population of organizations that had not updated.

Affected Versions

Technical Details

The out-of-bounds write (CWE-787) is in the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol parser within vCenter Server's management component. Processing a malformed DCERPC packet causes a write operation to proceed beyond the bounds of an allocated buffer — writing attacker-controlled data to adjacent heap memory.

Out-of-bounds write exploitation: By carefully crafting the packet content and exploiting heap layout predictability, an attacker can overwrite a function pointer, vtable entry, or other control data adjacent to the overflow buffer. When the corrupted pointer is subsequently called, it redirects execution to attacker-controlled code. This yields remote code execution in the context of the vCenter service.

DCERPC exposure: The DCERPC protocol ports on vCenter are reachable from any host that can reach the vCenter management network. In environments where vCenter is on a flat management network accessible from all corporate hosts, any compromised internal endpoint can exploit this vulnerability.

CVE-2024-37080 companion: Also published in VMSA-2024-0012, CVE-2024-37080 is another DCERPC out-of-bounds write in vCenter. Both require the same patch.

Discovery

The vulnerability was reported by security researchers and credited in Broadcom's VMSA-2024-0012 advisory. The June 2024 VMSA was significant enough to be widely covered, with Broadcom urging immediate patching.

Exploitation Context

The 19-month gap between the June 2024 patch and the January 2026 KEV listing reflects a common pattern for enterprise infrastructure: large organizations with complex change management processes defer critical patching of production infrastructure for months or years. VMware vCenter patches typically require a maintenance window and carry risk of disruption, causing many organizations to delay. Attackers — both nation-state and ransomware — specifically target this deferred-patching window for high-value infrastructure like vCenter. CISA's January 2026 KEV listing confirmed active exploitation of unpatched vCenter instances nearly two years after the fix was available.

Remediation

1. Apply VMware vCenter patches from VMSA-2024-0012 — upgrade to vCenter Server 8.0 U2d or 7.0 U3q. The CISA deadline was February 13, 2026.
2. Also apply VMSA-2024-0019 patches (CVE-2024-38812, September 2024) if not already done — the same DCERPC component has multiple vulnerabilities requiring sequential patching.
3. Restrict vCenter network access to dedicated management VLANs — vCenter management ports should only be reachable from authorized administrator workstations and management jump hosts, not from general enterprise networks.
4. Monitor vCenter API logs and vSphere Client access logs for unexpected access patterns.
5. Consider emergency patching policy for vCenter and other tier-1 hypervisor management infrastructure — these systems warrant accelerated patch timelines despite operational risk.