CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to the KEV Catalog
The U.S. agency CISA lists the vulnerability CVE-2024-37079 in VMware vCenter Server as a “Known Exploited Vulnerability,” indicating that the flaw is not only theoretically exploitable but has already been abused in real-world attacks.
The KEV Catalog is a CISA-maintained list of vulnerabilities that are confirmed to be actively exploited and therefore receive mandatory remediation prioritization across U.S. federal agencies; in practice, many organizations also use it as a reliable signal of real exploit pressure. Standardized documentation for CVE-2024-37079, including references and KEV context, is also available in the NIST NVD entry.
Broadcom Confirms Signs of Exploitation of CVE-2024-37079
Broadcom updated the related security advisory on January 23, 2026, adding that it has information suggesting “in the wild” exploitation of CVE-2024-37079. That wording is the key difference between “critical but with no confirmed attacks” and a situation where scanning, exploitation attempts, and follow-on compromises must be realistically anticipated—especially in environments where vCenter is reachable from broader network segments.
For operators, the second vendor point in the advisory is particularly relevant: while Broadcom evaluated workarounds, it considers them not viable. That leaves updates to the vendor-designated fixed versions as the only dependable path to risk reduction, rather than relying on interim measures that may only appear to blunt the exploit vector.
What Is Known About CVE-2024-37079 in VMware vCenter Server
Broadcom describes CVE-2024-37079 as memory corruption issues in the context of DCE/RPC processing that can be triggered by specially crafted network packets and could potentially lead to remote code execution. From an operational perspective, the access path matters most: once an attacker has the required network route to a vCenter instance, the vulnerability becomes substantially more attractive because vCenter typically operates with high privileges and consolidates central control functions in many environments.
For remediation, Broadcom points to specific target builds in the response matrix within the advisory. The practical takeaway is that operators should systematically validate installed builds against the listed “Fixed Versions,” rather than relying on rough version assumptions, since patch levels and upgrade paths in vSphere stacks are often heterogeneous.
Why the Combination of “Actively Exploited” and vCenter Is Especially Serious
In many data centers, vCenter is the management control plane for virtualization, used to administer hosts, clusters, permissions, and VM lifecycle operations. From an attacker’s perspective, it is a high-leverage target because access to the management layer often creates broader downstream risk than the compromise of a single application server. For that reason, CVE-2024-37079 in VMware vCenter Server should not be treated as just another backlog patch, but as a time-critical fix that affects the attack surface of the entire platform.
What is factual is the vendor’s note indicating “in the wild” exploitation and the absence of a viable workaround option in the Broadcom advisory. It is equally factual that CVE-2024-37079 is listed in the CISA KEV Catalog. The resulting prioritization is a sound operational consequence, because for actively exploited vulnerabilities any additional exposure—through unnecessary reachability or delayed change windows—directly increases incident risk.
What Operators Should Prioritize Now
The practical sequence is clear: apply the vendor-recommended updates first, reduce management-plane reachability in parallel, and strengthen detection. If you can patch now, move the update forward without delay; if you are organizationally constrained, treat interim steps as risk reduction—not as a substitute for remediation.
- Patch with full scope. Inventory all vCenter instances including test, staging, and DR environments, and validate installed builds against the vendor-listed “Fixed Versions” in the Broadcom advisory so that no overlooked management node remains as an entry point.
- Minimize exposure. Run vCenter only in dedicated management networks, restrict access to controlled admin paths, and remove any unnecessary reachability from less trusted segments, because CVE-2024-37079 requires an accessible network path.
- Increase monitoring and response readiness. Centralize relevant logs from the management zone, alert on suspicious access and process patterns around vCenter, and ensure escalation paths and roles are clearly defined in case of a suspected incident.
