CVE-2024-37079 is a critical remote code execution (RCE) vulnerability in VMware vCenter Server caused by a heap overflow in the DCERPC protocol implementation. On January 23, 2026, Broadcom updated its advisory indicating it has information suggesting in-the-wild exploitation has occurred.
CISA has also added the issue to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of February 13, 2026.
Vulnerability Details
Originally disclosed in January 2024, CVE-2024-37079 is a heap overflow / out-of-bounds write issue, categorized as CWE-787 in NVD. It is network-reachable and can be triggered by sending a specially crafted network packet that abuses vCenter’s DCERPC handling.
Successful exploitation can result in remote code execution on VMware vCenter Server, and it is treated as critical severity, with a maximum CVSSv3 base score of 9.8 assigned by the vendor.
What is Vulnerable
Affected product
- VMware vCenter Server (also impacts VMware Cloud Foundation deployments that include vCenter).
Fixed versions
Broadcom’s response matrix lists remediation via upgrades to these fixed releases:
- vCenter Server 8.0 → 8.0 U2d
- vCenter Server 8.0 → 8.0 U1e
- vCenter Server 7.0 → 7.0 U3r
- VMware Cloud Foundation 4.x / 5.x: apply KB88287 guidance
Broadcom explicitly notes that in-product workarounds were investigated but not viable, so a patch/upgrade is the primary path.
Impact
vCenter is a high-value management plane, so compromise has disproportionate consequences. An attacker who gains code execution can obtain privileged control over virtualization operations, including inventory management, templates, credentials, and integrations, effectively turning vCenter into a control point for the environment.
From there, it can create downstream access paths into hypervisors and hosted workloads, especially in environments where management trust relationships and shared admin access are in place.
Mitigation and Remediation
- Patch/upgrade to fixed versions per Broadcom response matrix (8.0 U2d / 8.0 U1e / 7.0 U3r; VCF KB88287).
- Remove internet exposure of vCenter and restrict access to trusted admin networks only, especially any exposure that allows access to the exploitable service surface (Shadowserver highlights DCERPC accessibility as the key condition).
- Increase monitoring for vCenter authentication/admin activity and unusual network flows until patching is complete.
Stay Safe. Stay Secure
OP Innovate Research Team
