Broadcom (VMware) has updated its security advisory VMSA-2024-0012.1 with a particularly important note for infrastructure teams: signs of active exploitation in the wild of CVE-2024-37079, one of the critical vulnerabilities affecting VMware vCenter Server. The advisory update is dated January 23, 2026, leaving no doubt: patching is no longer a recommendation, it’s an operational priority.
The advisory groups three CVEs: two heap-overflow vulnerabilities in the DCERPC protocol (associated with possible remote code execution) and a local privilege escalation vulnerability resulting from a misconfiguration of sudo.
What has been officially published
From a technical and impact perspective, the advisory covers:
- CVE-2024-37079 and CVE-2024-37080 (Critical, CVSS 9.8):
Heap-overflow vulnerabilities in DCERPC. An attacker with network access could trigger them through specially crafted packets, risking RCE (according to the manufacturer’s own assessment). - CVE-2024-37081 (Important/Critical in the advisory, CVSS 7.8):
Local privilege escalation: an authenticated local user without administrative privileges could elevate to root on the vCenter Server Appliance.
Additionally, the update from January 23, 2026, adds a line that shifts the risk context: “Broadcom has information suggesting that exploitation of CVE-2024-37079 has occurred in the wild.”
As an additional sign of operational criticality, the NVD entry shows that CVE-2024-37079 was added to the CISA KEV catalog on January 23, 2026, with remediation deadline set by CISA.
Table 1 — Executive Summary (the essentials)
| Element | Detail |
|---|---|
| Advisory | VMSA-2024-0012.1 (updated 01/23/2026) |
| Affected products | VMware vCenter Server; VMware Cloud Foundation |
| CVEs | CVE-2024-37079, CVE-2024-37080, CVE-2024-37081 |
| Main impact | Remote Code Execution (RCE) in DCERPC + local privilege escalation |
| Severity | Critical (up to CVSS 9.8); 7.8 for LPE |
| Active exploitation | Indicated for CVE-2024-37079 as “in the wild” |
| Workaround | For RCE (37079/37080), indicated as not feasible; for 37081, no workaround available |
Table 2 — Corrected versions (manufacturer response matrix)
| Platform | Line | Covered CVEs | Suggested fix |
|---|---|---|---|
| vCenter Server | 8.0 | 37079/37080/37081 | vCenter 8.0 U2d |
| vCenter Server | 8.0 | 37079/37080 | vCenter 8.0 U1e |
| vCenter Server | 7.0 | 37079/37080/37081 | vCenter 7.0 U3r |
| Cloud Foundation (vCenter) | 5.x / 4.x | 37079/37080/37081 | KB88287 |
Why is vCenter particularly vulnerable?
vCenter is typically the control plane in virtualization: inventory, permissions, provisioning, virtual networks, storage, and operations. This makes even when a “only” component is affected, the potential impact is disproportionately high compared to other services: a failure or takeover could lead to loss of operational control, service disruptions, and lateral movement.
The key factors recognized in the advisory include:
- Network vector (for the critical DCERPC CVEs)
- Critical severity (9.8)
- Signs of actual exploitation (at least for CVE-2024-37079)
Recommended actions for system teams (priority order)
- Immediate inventory
- Locate all vCenter and Cloud Foundation environments (including DR/BCP and connected labs).
- Prioritize based on exposure
- Isolate any unnecessary network routes to vCenter (segmenting, ACLs, bastion hosts, VPNs, controlled hops). Although the advisory mentions “network access,” the safest practice is treating vCenter as a management network-only service.
- Apply the correct patch
- vCenter 8.0 → U2d (or U1e if applicable to your branch/case)
- vCenter 7.0 → U3r
- Cloud Foundation 4.x/5.x → KB88287
- Post-update verification
- Confirm version and service status, and review integrity/operational logs.
- Maintain heightened monitoring after patching (attack windows often intensify after wide dissemination).
- Reduce operational risk
- Review privileged access to VCSA, enable MFA where applicable, and harden the management plane.
- Align with internal vulnerability management procedures (critical SLA).