Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in Ivanti Cloud Services Application (CSA) and VMware vCenter Server products, exposing enterprise management platforms to remote compromise. Ivanti said CSA 5.0.2 and earlier contain three flaws—CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated CVSS 10.0. Ivanti released fixes in CSA 5.0.3 and urged customers to update immediately.
VMware also disclosed two vulnerabilities affecting vCenter Server and VMware Cloud Foundation: CVE-2024-38812, a heap overflow that can allow arbitrary code execution, and CVE-2024-38813, which can enable privilege escalation to root. The flaws affect vCenter Server 7.0 and 8.0 as well as VMware Cloud Foundation 4.x and 5.x, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Ivanti fixes critical CSA vulnerabilities in version 5.0.3
Ivanti disclosed three critical vulnerabilities in Cloud Services Application (CSA) admin console components: CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773. The issues could allow authentication bypass, remote code execution, and arbitrary SQL execution, and were fixed in CSA version 5.0.3; Ivanti said it had not observed exploitation at the time of notice.
VMware discloses critical vCenter Server vulnerabilities and fixes
Broadcom/VMware disclosed CVE-2024-38812 and CVE-2024-38813 affecting VMware vCenter Server 7.0/8.0 and VMware Cloud Foundation 4.x/5.x. The flaws could enable remote code execution and privilege escalation, and customers were advised to update to fixed versions; no active exploitation was known at the time.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Kriittisiä haavoittuvuuksia Ivanti Cloud Services (CSA) -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia Ivanti Cloud Services (CSA) -tuotteissa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia VMware vCenter Serverissä | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia VMware vCenter Serverissä | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued **VMSA-2025-0010** to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by **CVE-2025-41225**, an authenticated command-execution flaw in **vCenter Server** with a **CVSS 8.8** score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address **CVE-2025-41226** and **CVE-2025-41227** denial-of-service issues and **CVE-2025-41228**, a reflected **XSS** flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that **no workarounds** exist. The latest advisory follows earlier VMware warnings over serious **vCenter Server** weaknesses, including **VMSA-2024-0012**, which disclosed **CVE-2024-37079**, **CVE-2024-37080**, and **CVE-2024-37081** as memory-management and corruption flaws that could enable **remote code execution** in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing **CVE-2024-37081**, underscoring continued security attention on vCenter exposure.
May 26, 2026
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026
Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in **Ivanti Secure Access Client for Windows** and **Ivanti Virtual Traffic Manager (vTM)**. In Secure Access Client, version `22.8R6` addresses **CVE-2026-7431**, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; **CVE-2026-7432**, a race condition that could allow local privilege escalation to `SYSTEM`; and **CVE-2026-8992`, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are `22.8R5` and earlier and advised customers to upgrade to `22.8R6`. Ivanti also patched **CVE-2026-8051** in **Ivanti Virtual Traffic Manager**, a high-severity `CWE-78` OS command injection vulnerability with a CVSS score of `7.2` that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM `22.9r3` and earlier and is fixed in `22.9r4`. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
Jun 21, 2026