The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has flagged a essential VMware vCenter Server vulnerability as actively exploited and ordered federal businesses to safe their servers inside three weeks.
Patched in June 2024, this security flaw (CVE-2024-37079) stems from a heap overflow weak spot within the DCERPC protocol implementation of vCenter Server (a Broadcom VMware vSphere administration platform that helps admins handle ESXi hosts and digital machines).
Risk actors with community entry to vCenter Server could exploit this vulnerability by sending a specifically crafted community packet that may set off distant code execution in low-complexity assaults that do not require privileges on the focused methods or consumer interplay.
There aren’t any workarounds or mitigations for CVE-2024-37079, so Broadcom suggested prospects to use security patches to the most recent vCenter Server and Cloud Basis releases as quickly as attainable.
On Friday, CISA added the vulnerability to its catalog of flaws exploited within the wild, giving Federal Civilian Government Department (FCEB) businesses three weeks to safe weak methods by February thirteenth, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
FCEB businesses are non-military U.S. govt department businesses, such because the Division of State, the Division of Justice, the Division of Power, and the Division of Homeland Safety.
“Such a vulnerability is a frequent assault vector for malicious cyber actors and poses vital dangers to the federal enterprise,” CISA warned. “Apply mitigations per vendor directions, comply with relevant BOD 22-01 steerage for cloud companies, or discontinue use of the product if mitigations are unavailable.”
The identical day, Broadcom up to date its authentic advisory and confirmed that it is also conscious that CVE-2024-37079 has been exploited within the wild.
“Broadcom has data to counsel that exploitation of CVE-2024-37079 has occurred within the wild,” it cautioned.
In October, CISA additionally ordered U.S. authorities businesses to patch a high-severity vulnerability (CVE-2025-41244) in Broadcom’s VMware Aria Operations and VMware Instruments software program, which Chinese language hackers had been exploiting in zero-day assaults since October 2024.
Final yr, Broadcom additionally launched security patches to deal with two high-severity VMware NSX flaws (CVE-2025-41251 and CVE-2025-41252) reported by the U.S. Nationwide Safety Company (NSA) and stuck three different actively exploited VMware zero-days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) reported by Microsoft.
It is funds season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising developments, and examine their priorities as they head into 2026.
Learn the way prime leaders are turning funding into measurable influence.
