Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of in-the-wild exploitation of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, CVE-2024-20253, impacting Cisco Unified Communications Manager (Unified CM), Cisco Unity Connection, and Webex Calling Dedicated Instance, and claims it enables unauthenticated command execution via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances.
Separately, CISA added Broadcom VMware vCenter Server CVE-2024-37079 (CVSS 9.8) to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of exploitation; the issue is described as a DCE/RPC heap overflow that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite CVE-2025-61882 and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Federal deadline set for VMware vCenter CVE-2024-37079 remediation
Following KEV inclusion, U.S. Federal Civilian Executive Branch agencies were required to update to the latest fixed VMware vCenter version by February 13, 2026. The deadline formalized the federal remediation timeline for the actively exploited flaw.
CISA adds Cisco UC CVE-2024-20253 to KEV catalog
By January 25, 2026, CISA had added CVE-2024-20253 to the KEV catalog in response to active exploitation reports. Federal agencies were directed to remediate rapidly as part of KEV requirements.
Cisco issues advisories and Snort rules for CVE-2024-20253
Cisco issued urgent advisories for CVE-2024-20253 and released Snort detection rules 65750, 65751, and 65752 to help identify exploitation attempts. The guidance emphasized that no workaround exists and that patching and reducing exposure of management interfaces are the primary mitigations.
Cisco UC zero-day CVE-2024-20253 reported as actively exploited
By January 2026, a critical zero-day in Cisco Unified Communications products, CVE-2024-20253, was reported as under active exploitation in the wild. The flaw affects Unified CM, Unity Connection, and Webex Calling Dedicated Instance and can enable unauthenticated remote command execution on the underlying operating system.
CISA adds VMware vCenter CVE-2024-37079 to KEV catalog
On January 24, 2026, CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities catalog after evidence emerged of active in-the-wild exploitation. Broadcom also updated its advisory to confirm it had information indicating exploitation, although attribution and scale were not disclosed.
Additional VMware vCenter DCE/RPC flaws patched
In September 2024, Broadcom patched two additional VMware vCenter DCE/RPC service vulnerabilities that researchers later grouped with CVE-2024-37079 and CVE-2024-37080 as part of a broader four-flaw set. This expanded the known scope of the vCenter DCE/RPC issue cluster.
Broadcom patches VMware vCenter flaws CVE-2024-37079 and CVE-2024-37080
In June 2024, Broadcom released fixes for CVE-2024-37079, a critical DCE/RPC heap overflow in VMware vCenter Server, along with the related flaw CVE-2024-37080. The vulnerability could allow remote code execution via specially crafted network packets from an attacker with network access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical Cisco Unified Communications Zero-Day (CVE-2024-20253) Actively Exploited: Millions of Enterprises at Risk
rescana.com
Open sourceCISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Cisco Unified Communications RCE (CVE-2026-20045)
Cisco released fixes for a **critical remote code execution** vulnerability in Unified Communications and *Webex Calling Dedicated Instance*, tracked as **CVE-2026-20045**, after it was **actively exploited as a zero-day**. The issue stems from **improper validation of user-supplied input in HTTP requests** to the web-based management interface; successful exploitation can provide **user-level OS access** and enable **privilege escalation to root**. Affected products include **Cisco Unified Communications Manager (Unified CM)**, **Unified CM Session Management Edition (SME)**, **Unified CM IM & Presence**, **Cisco Unity Connection**, and **Webex Calling Dedicated Instance**; Cisco provided version-specific remediations including fixed releases and `.cop` patch files (e.g., `ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512`). CISA added **CVE-2026-20045** to its **Known Exploited Vulnerabilities (KEV) Catalog**, citing evidence of active exploitation and highlighting code injection flaws as a common attack vector with significant risk to the federal enterprise. Under **Binding Operational Directive (BOD) 22-01**, Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by the specified due date, and CISA urged all organizations to similarly prioritize patching to reduce exposure to ongoing attacks.
Mar 21, 2026
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026