BRICKSTORM Threat Highlights vCenter Server as a Tier-0 Target
Google Cloud's Mandiant warned that VMware vCenter Server Appliance (VCSA) should be treated as a Tier-0 asset because compromise can hand attackers administrative control over managed ESXi hosts and virtual machines, expose virtual disk data, and enable stealthy activity through Photon OS shell access that often lacks remote command logging. The guidance ties these risks to BRICKSTORM malware activity and emphasizes that vCenter commonly underpins highly sensitive workloads, including domain controllers and privileged access management systems.
The report says operational dependencies can magnify the impact of a vCenter intrusion because many organizations run Active Directory domain controllers inside the same vSphere environment, complicating authentication and recovery if vCenter, networking, or datastores are disrupted. Mandiant urged defenders to harden and patch vSphere environments, strengthen identity controls and network segmentation, and improve logging and forensic visibility, while noting that vSphere 7 reached end of life in October 2025 and no longer receives security fixes unless organizations upgrade.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Mandiant releases vCenter hardening script and scanner tool
Alongside its BRICKSTORM defender guidance, Mandiant released a vCenter hardening script and scanner tool to modify insecure default settings and enforce stronger security controls on the Photon Linux layer of VCSA. The tools were intended to help defenders assess and harden VMware vSphere environments against PRC-linked intrusion activity.
Google publishes defender guidance on vSphere and BRICKSTORM risks
Google Cloud's Mandiant Threat Intelligence team published guidance describing the vCenter Server Appliance as a Tier-0 asset and outlining the risks of compromise, including administrative control over ESXi hosts and virtual machines, access to virtual disk data, and limited visibility into Photon OS shell activity. The guidance recommends hardening, patching, stronger identity controls, network segmentation, and improved logging and forensic visibility.
vSphere 7 reaches end of life
VMware vSphere 7 reached end of life, leaving organizations that remain on the platform without future security patches unless they upgrade. The reference highlights this as increasing exposure to unpatched vulnerabilities in vSphere environments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued **VMSA-2025-0010** to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by **CVE-2025-41225**, an authenticated command-execution flaw in **vCenter Server** with a **CVSS 8.8** score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address **CVE-2025-41226** and **CVE-2025-41227** denial-of-service issues and **CVE-2025-41228**, a reflected **XSS** flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that **no workarounds** exist. The latest advisory follows earlier VMware warnings over serious **vCenter Server** weaknesses, including **VMSA-2024-0012**, which disclosed **CVE-2024-37079**, **CVE-2024-37080**, and **CVE-2024-37081** as memory-management and corruption flaws that could enable **remote code execution** in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing **CVE-2024-37081**, underscoring continued security attention on vCenter exposure.
May 26, 2026
Mandiant Details Detection and Hardening for VMware ESXi Hypervisors
Mandiant published guidance on improving detection and hardening for **VMware ESXi hypervisors**, highlighting defensive measures for environments where attackers may target the virtualization layer. The report, part of the **"Bad VIB(E)s"** series, focuses on strengthening visibility into ESXi activity and reducing opportunities for malicious persistence or tampering on hosts that underpin large portions of enterprise infrastructure. The guidance emphasizes securing hypervisors as high-value assets because compromise at that layer can affect multiple hosted workloads at once. Mandiant’s recommendations center on better monitoring and hardening of ESXi systems, helping defenders identify suspicious changes and strengthen controls around components such as VMware installation bundles and host-level configurations.
Jun 24, 2026
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026