Cyber Resilience

CVE-2024-37081

High

Published: 18 June 2024

Published
18 June 2024
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4987 97.9th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37081 is a high-severity ASP.NET Misconfiguration: Use of Identity Impersonation (CWE-556) vulnerability in Vmware Vcenter Server. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. The issues affect the vCenter Server Appliance component and carry a CVSS 3.1 base score of 7.8.

An authenticated local attacker with low privileges can exploit the sudo misconfigurations to obtain root-level access on the appliance. Successful exploitation grants full control over the vCenter Server environment, including the ability to read, modify, or delete arbitrary data and affect availability.

Broadcom has published security advisories that address the vulnerabilities and are available at the referenced support pages. The current EPSS score stands at 0.4987 with a recorded peak of 0.5028.

EU & UK References

Vulnerability details

The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vcenter server
7.0, 8.0
vmware
cloud foundation
4.0 — 5.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References