VMware vCenter Flaws Prompt Patches for RCE and Command Execution Risks
Broadcom issued VMSA-2025-0010 to fix four vulnerabilities across VMware ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure, led by CVE-2025-41225, an authenticated command-execution flaw in vCenter Server with a CVSS 8.8 score. According to the advisory, an attacker able to create or modify alarms and run script actions could exploit the bug, while additional fixes address CVE-2025-41226 and CVE-2025-41227 denial-of-service issues and CVE-2025-41228, a reflected XSS flaw affecting ESXi and vCenter Server. VMware said patches are available for all affected products and that no workarounds exist.
The latest advisory follows earlier VMware warnings over serious vCenter Server weaknesses, including VMSA-2024-0012, which disclosed CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081 as memory-management and corruption flaws that could enable remote code execution in vCenter services. VMware said at the time it had no evidence of active exploitation, but urged customers to apply the listed patch versions because no official mitigations were provided; public GitHub material later appeared referencing CVE-2024-37081, underscoring continued security attention on vCenter exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Broadcom publishes VMSA-2025-0010 for four VMware vulnerabilities
On 2025-05-20, Broadcom published VMware Security Advisory VMSA-2025-0010 covering four vulnerabilities affecting ESXi, vCenter Server, Workstation, Fusion, Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. The most severe, CVE-2025-41225, is an authenticated command-execution flaw in vCenter Server rated CVSS 8.8; updates were released for all affected products and no workarounds were available.
Public PoC repository appears for CVE-2024-37081
By 2024-07-06, a GitHub repository dedicated to CVE-2024-37081 had been published, indicating public technical material or proof-of-concept activity related to the vCenter Server vulnerability.
VMware discloses critical vCenter Server flaws in VMSA-2024-0012
On 2024-06-17, VMware published advisory VMSA-2024-0012 for three critical vCenter Server vulnerabilities, CVE-2024-37079, CVE-2024-37080, and CVE-2024-37081. The company said the issues could potentially enable remote code execution, noted ESXi was not affected, and provided patches with no official workaround.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Support Content Notification - Support Portal - Broadcom support portal
support.broadcom.com
Open sourcevcf-security-and-compliance-guidelines/security-advisories/vmsa-2024-0012 at main · vmware/vcf-security-and-compliance-guidelines · GitHub
github.com
Open sourceGitHub - mbadanoiu/CVE-2024-37081: CVE-2024-37081: Multiple Local Privilege Escalation in VMware vCenter Server · GitHub
github.com
Open sourceSupport Content Notification - Support Portal - Broadcom support portal
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Apr 24, 2026
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
Mar 21, 2026
Broadcom Patches Stored XSS Flaws in VMware Cloud Foundation Operations
Broadcom has released **VMSA-2026-0004** to fix three stored cross-site scripting vulnerabilities in VMware Cloud Foundation Operations, tracked as `CVE-2026-41722`, `CVE-2026-41723`, and `CVE-2026-41724`. The flaws affect VMware Cloud Foundation Operations and related enterprise cloud environments, including **VMware Aria Operations**, **VMware Telco Cloud Platform**, and **VMware vSphere Foundation** deployments. Broadcom rated the issues **Important**, with a maximum **CVSS v3.1 score of 8.0** and vector `AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`. According to the advisory, an authenticated user with privileges to create policies, views, or text widgets could inject malicious scripts that execute when viewed and potentially perform **administrative actions** inside the platform. Broadcom said the vulnerabilities were privately reported and published remediation guidance, including upgrading **Aria Operations to version 8.18.6**. Organizations running affected VMware management platforms have been urged to review exposed deployments and apply the available patches promptly.
Jun 9, 2026