CriticalCISA KEVExploited in the wildPublic exploit

Privilege Escalation to Root in VMware vCenter Server

IdentifiersCVE-2024-38813CWE-269

CVE-2024-38813 is a VMware vCenter Server privilege escalation vulnerability affecting vCenter Server 7.0 and 8.0, as well as VMware Cloud Foundation 4.x and 5.x deployments that include the affected vCenter components. According to the provided content, a malicious actor with network access to vCenter Server can trigger the flaw by sending a specially crafted network packet, resulting in privilege escalation to root. The content does not identify the exact vulnerable function or code path, but it consistently characterizes the issue as a network-reachable privilege escalation vulnerability in vCenter Server and notes it as part of a broader cluster of DCE/RPC-related vCenter flaws discussed by researchers.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to elevate privileges on the vCenter Server to root. Root compromise of vCenter is highly significant because vCenter is the management plane for ESXi hosts and virtualized workloads; compromise can enable full administrative control of the vCenter appliance and may facilitate broader compromise of managed infrastructure. The provided content also states that researchers reported this flaw can be chained with a vCenter heap overflow vulnerability to achieve unauthorized remote root access and ultimately gain control over ESXi. The content further indicates exploitation has been observed in the wild.

Mitigation

If you can’t patch tonight, do this now.

The provided content indicates there are no workarounds for this vulnerability beyond patching. As risk-reduction measures pending full remediation, restrict network access to vCenter Server, segment or air-gap the management network from production and public networks, limit privileged access to management-plane systems, and monitor vCenter for unusual activity, unexpected protocol errors, failed authentication attempts, and suspicious configuration changes.

Remediation

Patch, then assume compromise.

Apply VMware/Broadcom security updates for the affected products. The provided content states fixes are available for vCenter Server 8.0 in 8.0 U3b and for vCenter Server 7.0 in 7.0 U3s. VMware Cloud Foundation 5.x and 4.x receive the corresponding asynchronous patches based on those fixed vCenter versions. Customers should update to the latest vendor-fixed builds immediately.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomCloud Foundationapplication

BroadcomVcenter Serverapplication

BroadcomVmware Center Serverapplication

BroadcomVmware Cloud Foundationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

scworldNews

Jan 26, 2026

VMware vCenter Server bug added to CISA list exploited vulnerabilities | SC Media

One of a cluster of four vulnerabilities affecting VMware vCenter Server’s DCE/RPC protocol implementation, mentioned as compounding risk when chained with CVE-2024-37079.

security affairsNews

Jan 24, 2026

U.S. CISA adds a flaw in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities catalog

A privilege escalation vulnerability referenced as chainable with a vCenter DCERPC heap-overflow flaw to achieve unauthorized remote root access on ESXi.

the hacker newsNews

Jan 24, 2026

CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog

A privilege escalation flaw (in the referenced DCE/RPC service vulnerability set) that can be chained with a heap overflow to obtain unauthorized remote root access and ultimately control ESXi.

bleeping computerNews

Sep 30, 2025

Broadcom fixes high-severity VMware NSX bugs reported by NSA

A VMware vCenter Server privilege escalation to root vulnerability that the article says attackers began exploiting.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-38813

NVD

nvd.nist.gov/vuln/detail/CVE-2024-38813

MITRE CWE · CWE-269

cwe.mitre.org

Vendor Advisory

support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-38813