Search
On this page ▾
CVE-2024-38813 — VMware vCenter Server Privilege Escalation Vulnerability

CVE-2024-38813

VMware vCenter Server — Privilege Escalation to Root via Crafted Network Packet; Paired with CVE-2024-38812 Heap Overflow
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is VMware vCenter Server?

VMware vCenter Server is the centralized management platform for VMware vSphere environments — it provides a single interface to manage ESXi hypervisors, virtual machines, storage, and networking across the entire virtualization infrastructure. vCenter holds administrative credentials for all managed ESXi hosts, has the ability to create/modify/delete virtual machines, and controls the virtual network and storage fabric. Because vCenter manages the hypervisor layer beneath all VMs, compromise of vCenter Server is equivalent to full compromise of every VM it manages — making it one of the highest-value targets in any enterprise environment.

Overview

CVE-2024-38813 is a privilege escalation vulnerability in VMware vCenter Server that allows an authenticated, low-privileged attacker with network access to escalate privileges to root by sending a specially crafted network packet. It was published as part of Broadcom's VMSA-2024-0019 security advisory on September 17, 2024, alongside the more severe CVE-2024-38812 (a heap overflow enabling RCE). The two are frequently chained: CVE-2024-38812 provides initial code execution, CVE-2024-38813 escalates to root. Broadcom confirmed active exploitation when CISA added both to the KEV catalog on November 20, 2024.

Affected Versions

Product Vulnerable Fixed
VMware vCenter Server 8.0 < 8.0 U3b 8.0 U3b
VMware vCenter Server 7.0 < 7.0 U3s 7.0 U3s
VMware Cloud Foundation 5.x Bundled vCenter — see advisory Patch per advisory
VMware Cloud Foundation 4.x Bundled vCenter — see advisory Patch per advisory

Technical Details

CWE-250 (Execution with Unnecessary Privileges). The vCenter Server application contains code that executes certain operations with higher privileges than necessary. An authenticated attacker who can interact with the vCenter network interface can trigger this code path — by sending a specially crafted packet — and cause privileged code execution to be performed on their behalf, escalating from their initial low-privilege access to root on the vCenter appliance.

When chained with CVE-2024-38812 (a heap overflow in the DCERPC protocol implementation used by vCenter):

  1. CVE-2024-38812 — Unauthenticated or low-auth heap overflow → code execution in the vCenter process
  2. CVE-2024-38813 — Privilege escalation from initial access → root on the vCenter Server appliance

Root access on vCenter enables: extracting all ESXi host credentials from the vCenter database, deploying or modifying VMs across the entire virtual infrastructure, accessing sensitive data stored in VMs, and potentially affecting every system in the organization.

Discovery

Reported to Broadcom/VMware. The two-month gap between patch release (September 17) and KEV addition (November 20) indicates exploitation was detected through threat intelligence rather than at the time of patch. Broadcom's confirmation of active exploitation alongside the November 20 KEV addition underscores that organized threat actors were exploiting unpatched vCenter deployments.

Exploitation Context

VMware vCenter is a near-universal target in ransomware and nation-state intrusions: compromising the virtualization layer provides immediate access to a large number of systems simultaneously and enables VM snapshot exfiltration for data theft or encrypted VM deployment for maximum ransomware impact. The confirmed exploitation of CVE-2024-38813 alongside the heap overflow CVE-2024-38812 reflects the high priority threat actors place on vCenter vulnerabilities — patching both promptly is essential.

Remediation

  1. Upgrade vCenter Server to 8.0 U3b (for 8.0.x) or 7.0 U3s (for 7.0.x) immediately. Both CVE-2024-38812 and CVE-2024-38813 are fixed by the same update.
  2. As an interim workaround (if patching is delayed): restrict network access to vCenter to authorized management IP addresses only — the vCenter management interface must not be internet-accessible.
  3. After patching, review vCenter authentication logs for unexpected logins, new user accounts, or unusual permission grants.
  4. Audit ESXi host and VM configuration changes for unauthorized modifications made during the exposure window.
  5. Rotate the vCenter SSO administrator password and the ESXi host root passwords as a precaution after any confirmed or suspected exposure period.
  6. See also CVE-2024-38812 (heap overflow) — both vulnerabilities should be patched together as they are commonly chained.

Key Details

PropertyValue
CVE ID CVE-2024-38813
Vendor / Product VMware — vCenter Server
NVD Published2024-09-17
NVD Last Modified2025-10-31
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-250 find similar ↗
CISA KEV Added2024-11-20
CISA KEV Deadline2024-12-11
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-12-11. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-09-17Broadcom publishes VMSA-2024-0019 covering CVE-2024-38812 (heap overflow) and CVE-2024-38813 (privilege escalation); patches released
2024-11-20Added to CISA Known Exploited Vulnerabilities catalog; Broadcom confirms active exploitation
2024-12-11CISA BOD 22-01 remediation deadline

References

ResourceType
Broadcom/VMware Security Advisory — VMSA-2024-0019 Vendor Advisory
NVD — CVE-2024-38813 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-19

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML