CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation. The flaw is a 9.8 CVSS out-of-bounds write/heap-overflow issue in vCenter Server’s DCERPC implementation; an attacker with network access can send specially crafted packets that may result in remote code execution (RCE). CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as unknown, but the KEV addition triggers mandatory remediation timelines for US federal agencies.
Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting Versa Concerto and Zimbra, plus developer tools), but the vCenter Server item drew specific attention because it was patched by Broadcom in 2024 and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds VMware vCenter CVE-2024-37079 to the KEV catalog
On 2026-01-23, CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The agency required U.S. federal civilian agencies to remediate the flaw by 2026-02-13.
Broadcom confirms CVE-2024-37079 has been exploited in the wild
On 2026-01-23, Broadcom updated its advisory to state it had information indicating in-the-wild exploitation of VMware vCenter Server flaw CVE-2024-37079. The company did not disclose threat actors, campaign scope, or technical details of the attacks.
CISA adds four more enterprise software flaws to KEV
Across 2026-01-22 and 2026-01-23, CISA also added CVE-2025-34026 (Versa Concerto), CVE-2025-68645 (Zimbra), CVE-2025-31125 (Vite), and CVE-2025-54313 (eslint-config-prettier supply-chain compromise) to the KEV catalog. Federal remediation deadlines were set for 2026-02-12 for these four vulnerabilities.
Broadcom patches VMware vCenter DCERPC flaws
On 2024-06-18, Broadcom/VMware released security advisory VMSA-2024-0012 with fixes for CVE-2024-37079 and related vCenter Server vulnerabilities, including another critical DCERPC heap overflow. The flaws could be triggered via crafted network packets and exposed unpatched vCenter deployments to possible remote code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Critical VMware VCenter Server Flaw CVE-2024-37079
thecyberexpress.com
Open sourceVMware vCenter Server bug added to CISA list exploited vulnerabilities | SC Media
scworld.com
Open sourceCISA says critical VMware RCE flaw now actively exploited
bleepingcomputer.com
Open sourceCISA Alert: Critical VMware vCenter RCE (CVSS 9.8) Now Exploited in the Wild
securityonline.info
Open sourceCISA Warns of Critical VMware vCenter RCE Vulnerability Now Exploited in Attacks
cybersecuritynews.com
Open sourceU.S. CISA adds a flaw in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA KEV Alert: 5 Critical Vulnerabilities Added to Catalog - TheCyberThrone
thecyberthrone.in
Open sourceCISA Adds 5 Enterprise Software Flaws To KEV Catalog
thecyberexpress.com
Open sourceCritical VMware vCenter Server bug under attack • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
Mar 21, 2026
CISA Flags VMware ESXi CVE-2025-22225 as Exploited in Ransomware Campaigns
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) updated its Known Exploited Vulnerabilities (**KEV**) catalog to indicate that **CVE-2025-22225**, a high-severity VMware ESXi *VMX sandbox escape* flaw, is now **known to be used in ransomware campaigns**. Broadcom patched the issue in March 2025 as part of advisory `VMSA-2025-0004`, describing CVE-2025-22225 as an **arbitrary kernel write** reachable by an attacker with privileges in the `VMX` process, enabling escape from the VMX sandbox to the ESXi kernel. The same advisory also addressed two other zero-days—**CVE-2025-22224** (TOCTOU leading to out-of-bounds write/code execution as the VMX process) and **CVE-2025-22226** (HGFS out-of-bounds read/memory disclosure)—which Broadcom previously tagged as actively exploited in the wild. Reporting also tied the ESXi exploitation to earlier sophisticated activity: Huntress described Chinese-speaking threat actors leveraging access via a compromised SonicWall VPN to deliver tooling targeting VMware ESXi and chaining a VM escape technique that appeared to predate public disclosure of the March 2025 ESXi zero-days. Separately, GreyNoise research highlighted a broader KEV-catalog visibility gap, finding that CISA **quietly “flipped”** dozens of KEV entries during 2025 from “Unknown” to “Known” for ransomware use without prominent public notification—an approach that can materially affect enterprise prioritization when a vulnerability’s status changes to confirmed ransomware exploitation.
Mar 21, 2026
CISA Flags Actively Exploited Microsoft Configuration Manager RCE (CVE-2024-43468)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2024-43468** to its Known Exploited Vulnerabilities (KEV) catalog after determining the flaw is being **actively exploited in the wild**. The vulnerability is a **critical (CVSS 9.8) SQL injection** in *Microsoft Configuration Manager* (ConfigMgr/SCCM) that can allow an **unauthenticated remote attacker** to achieve **remote code execution** by sending specially crafted requests, enabling command execution on the ConfigMgr server and/or its underlying site database with **high/`SYSTEM`-level impact**. CISA set a remediation deadline of **March 5** for U.S. Federal Civilian Executive Branch agencies under its Binding Operational Directive requirements; public reporting noted Microsoft’s advisory had previously assessed exploitation as “less likely,” and Microsoft had not (as of reporting) publicly detailed the threat actors or scope of exploitation. The issue was originally patched by Microsoft in **October 2024** after being reported by **Synacktiv**, and proof-of-concept exploit code was later published (including by Synacktiv), lowering the barrier to weaponization. Separate CISA KEV updates the same week also drove patching urgency across other widely deployed products (including **SolarWinds Web Help Desk** and multiple **Apple** platforms for a reportedly “extremely sophisticated” targeted attack), reinforcing that organizations should treat KEV additions as a high-confidence signal to accelerate patching and exposure reduction—particularly for internet-reachable management tooling like ConfigMgr that can provide broad administrative control if compromised.
Mar 21, 2026