Cyber Resilience

CVE-2024-38812

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 17 September 2024

Published
17 September 2024
Modified
31 October 2025
KEV Added
20 November 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7787 99.0th percentile
Risk Priority 86 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38812 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Vmware Vcenter Server. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-38812 is a heap-overflow vulnerability in the DCERPC protocol implementation within VMware vCenter Server. The flaw, tracked under CWEs 122 and 787, allows out-of-bounds writes that can be triggered by malformed network traffic. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access to vCenter Server can exploit the issue by sending a specially crafted packet, resulting in remote code execution with full control over the affected system. The vulnerability affects the core management component of vSphere environments and can be reached without authentication.

Broadcom has published an advisory detailing the issue and available patches, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation. The associated EPSS score remains elevated, with a peak of 0.8036 and current value of 0.7787.

EU & UK References

Vulnerability details

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

CWE(s)
KEV Date Added
20 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
cloud foundation
4.0 — 5.2
vmware
vcenter server
7.0, 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Restricts network traffic to vCenter Server, directly blocking unauthenticated attackers from sending crafted DCERPC packets that trigger the heap overflow.

prevent

Requires validation of protocol inputs, preventing specially crafted DCERPC packets from exploiting the heap-overflow condition leading to RCE.

prevent

Enforces memory protections that can mitigate exploitation of the heap-overflow weakness in the DCERPC implementation.

References