What is VMware vCenter Server?
VMware vCenter Server is the centralized management platform for VMware vSphere virtualization environments, managing ESXi hosts, virtual machines, storage, and networking across an organization's virtualized infrastructure. vCenter is deployed in virtually every enterprise that runs VMware — which is the majority of large organizations. A compromised vCenter server grants the attacker complete control over all virtual machines in the environment: they can create snapshots of running VMs (capturing memory and disk state), power VMs on/off, modify VM configurations, or deploy malicious VMs. vCenter has been a prime target for nation-state actors and ransomware groups, as its compromise delivers control over the entire virtualized infrastructure.
Overview
CVE-2024-38812 is a heap-based buffer overflow vulnerability (CWE-122) in VMware vCenter Server's implementation of the DCERPC (Distributed Computing Environment/Remote Procedure Call) protocol. An attacker with network access to vCenter Server can send a specially crafted network packet to trigger the heap overflow and potentially achieve remote code execution without authentication. Broadcom (who acquired VMware) released initial patches in September 2024, but then discovered the first patch was incomplete and released new patches in October 2024. CISA added both CVE-2024-38812 and its companion CVE-2024-38813 (privilege escalation) to the KEV catalog in November 2024.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| VMware vCenter Server 8.0 | < 8.0 U3d | 8.0 U3d |
| VMware vCenter Server 7.0 | < 7.0 U3t | 7.0 U3t |
| VMware Cloud Foundation 5.x | < 5.2.1.1 | 5.2.1.1 |
| VMware Cloud Foundation 4.x | Various | See VMSA-2024-0019 |
Note: The October 2024 patch update supersedes the September 2024 patch. Organizations that applied the September patch must apply the October patch as well — the September patch was insufficient.
Technical Details
The heap buffer overflow (CWE-122) is in vCenter Server's DCERPC protocol handler. DCERPC (also known as MS-RPC) is a remote procedure call protocol; VMware implements it for certain vSphere management communications. The vulnerability occurs when processing incoming DCERPC packets — a specially crafted packet with a malformed or oversized field causes a heap buffer overflow in the server process.
Heap overflow to RCE: A controlled heap overflow in a server process can be exploited to overwrite adjacent heap memory — function pointers, vtable entries, or other control structures — causing the server to execute attacker-controlled code when those corrupted structures are subsequently used.
Network exposure: vCenter Server's management port (443 for the vSphere Client web interface, and various internal RPC ports) is typically accessible from the internal network. In many organizations, vCenter is accessible from anywhere on the corporate network, making the attack viable from any compromised internal host — or directly from the internet if vCenter management is exposed externally (a common misconfiguration).
CVE-2024-38813 companion: A privilege escalation vulnerability published in the same advisory — an attacker who achieves code execution via CVE-2024-38812 can escalate to root using CVE-2024-38813.
Discovery
The vulnerability was reported by zbl (a.k.a. "loophole") and srs of TZL (Team Singular) at the Pwn2Own Vancouver 2024 competition or through the VMware bug bounty program. Broadcom credited the researchers in VMSA-2024-0019.
Exploitation Context
CISA confirmed active exploitation and added CVE-2024-38812 to the KEV catalog on November 20, 2024, with a December 11, 2024 deadline. The confirmation came after the October patch clarification — indicating that attackers exploited systems where administrators believed they had applied the September patch (which was actually insufficient). vCenter vulnerabilities attract sophisticated threat actors including nation-state groups due to the high-value nature of the target.
Remediation
- Apply the October 2024 updated patches from VMSA-2024-0019 — specifically vCenter Server 8.0 U3d or 7.0 U3t. Organizations that applied only the September 2024 patch must re-patch. The CISA deadline was December 11, 2024.
- Restrict vCenter network access — vCenter management interfaces should only be accessible from dedicated management networks and administrator workstations, not from general enterprise networks or the internet.
- Enable vCenter's built-in firewall to restrict which source IP addresses can reach the vCenter management ports.
- Monitor vCenter logs for unexpected API calls or authentication events from unusual source addresses during the exposure window (September–November 2024).
- Apply CVE-2024-38813 patch simultaneously — both vulnerabilities are addressed in the same patch and form a complete exploit chain.
- Audit vCenter for unauthorized VMs or configuration changes that might indicate post-exploitation activity.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-38812 |
| Vendor / Product | VMware — vCenter Server |
| NVD Published | 2024-09-17 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-122 find similar ↗ |
| CISA KEV Added | 2024-11-20 |
| CISA KEV Deadline | 2024-12-11 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-09-17 | Broadcom releases VMSA-2024-0019; initial patches for CVE-2024-38812 and CVE-2024-38813 |
| 2024-10-21 | Broadcom releases updated VMSA-2024-0019 — first patch was incomplete; new patches required |
| 2024-11-20 | CISA adds CVE-2024-38812 and CVE-2024-38813 to KEV catalog (active exploitation confirmed) |
| 2024-12-11 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Broadcom VMware Security Advisory VMSA-2024-0019 | Vendor Advisory |
| NVD — CVE-2024-38812 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |