Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has designated the VMware vCenter Server vulnerability CVE‑2024‑37079 as actively exploited. Federal agencies have three weeks—until February 13, 2025—to apply patches.
Technical Details
CVE‑2024‑37079 is a heap overflow in the DCERPC protocol implementation of vCenter Server, part of Broadcom’s VMware vSphere management platform. An attacker with network access can send a specially crafted packet that triggers remote code execution without needing privileges or user interaction.
Impact on Federal Agencies
CISA’s Binding Operational Directive (BOD) 22‑01 requires non‑military executive branch agencies—such as the Departments of State, Justice, Energy, and Homeland Security—to remediate the flaw within the three‑week window.
Mitigation Recommendations
- Apply the June 2024 security patches for vCenter Server and Cloud Foundation immediately.
- Follow Broadcom’s vendor instructions for patch deployment.
- If patches cannot be applied, discontinue use of the affected product.
Related Recent VMware Vulnerabilities
- CVE‑2025‑41244 – high‑severity flaw in VMware Aria Operations and Tools, exploited by Chinese actors since October 2024.
- CVE‑2025‑41251 and CVE‑2025‑41252 – high‑severity NSX flaws reported by the NSA.
- CVE‑2025‑22224, CVE‑2025‑22225, CVE‑2025‑22226 – actively exploited zero‑days reported by Microsoft.