CISA Warns of Actively Exploited Critical VMware vCenter RCE Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Federal agencies must patch affected systems by February 13, 2026, under Binding Operational Directive 22-01.

Vulnerability Overview

CVE-2024-37079 is an out-of-bounds write vulnerability affecting the DCERPC (Distributed Computing Environment / Remote Procedure Call) protocol implementation in VMware vCenter Server.

The flaw enables threat actors with network access to send specially crafted network packets to vulnerable vCenter instances, potentially achieving remote code execution without authentication.

CISA’s inclusion of CVE-2024-37079 in the KEV catalog signals that attackers are actively…