CVE-2024-37079
Published: 18 June 2024
Summary
CVE-2024-37079 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. The flaw is tracked as CVE-2024-37079 and carries a CVSS 3.1 base score of 9.8, reflecting that it is exploitable over the network without authentication or user interaction.
A malicious actor with network access to vCenter Server can trigger the issue by sending a specially crafted network packet, potentially resulting in remote code execution on the affected system.
Broadcom has published security advisory 24453 that addresses the vulnerability and directs customers to the corresponding patches and mitigation steps for supported vCenter Server releases. The flaw is also catalogued in CISA’s Known Exploited Vulnerabilities list.
The associated EPSS score currently stands at 0.8205 with a recorded peak of 0.8296, indicating sustained and substantial exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36412
Vulnerability details
vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.
- CWE(s)
- KEV Date Added
- 23 January 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the heap-overflow flaw in the DCERPC stack.
Mandates validation of all input packets, blocking the specially crafted DCERPC messages that trigger the out-of-bounds write.
Enforces boundary filtering and allow-listing so that only authorized hosts can reach the vCenter DCERPC listener.