Cyber Resilience

CVE-2024-37079

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 18 June 2024

Published
18 June 2024
Modified
26 January 2026
KEV Added
23 January 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8205 99.2th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37079 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. The flaw is tracked as CVE-2024-37079 and carries a CVSS 3.1 base score of 9.8, reflecting that it is exploitable over the network without authentication or user interaction.

A malicious actor with network access to vCenter Server can trigger the issue by sending a specially crafted network packet, potentially resulting in remote code execution on the affected system.

Broadcom has published security advisory 24453 that addresses the vulnerability and directs customers to the corresponding patches and mitigation steps for supported vCenter Server releases. The flaw is also catalogued in CISA’s Known Exploited Vulnerabilities list.

The associated EPSS score currently stands at 0.8205 with a recorded peak of 0.8296, indicating sustained and substantial exploitation interest since disclosure.

EU & UK References

Vulnerability details

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CWE(s)
KEV Date Added
23 January 2026

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
4.0 — 5.2
vmware
vcenter server
7.0, 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the heap-overflow flaw in the DCERPC stack.

prevent

Mandates validation of all input packets, blocking the specially crafted DCERPC messages that trigger the out-of-bounds write.

prevent

Enforces boundary filtering and allow-listing so that only authorized hosts can reach the vCenter DCERPC listener.

References