The U.S. Government's cyber security agency turned the alarms on again: the Cybersecurity and Infrastructure Security Agency (CISA) has marked as actively exploited critical vulnerability at VMware vCenter Server and has required the civil federal agencies to secure their servers within three weeks. The failure, recorded as CVE-2024-37079 was corrected by the manufacturer last June, but the combination of its severity and the confirmation of activities in nature has increased the emergency response.
In simple terms, vCenter Server is the central console that manages VMware vSphere environments: it coordinates ESXi hosts, virtual machines and infrastructure policies. When such a critical piece presents a remote code execution failure, the potential impact is enormous: an attacker with network access to vCenter could, through a specially manipulated package, run code on the server without the need for credentials or user interaction. Technically, the weakness comes from an overflow in the management of the DCERPC protocol within vCenter, and by its nature allows low complexity attack vectors.
Broadcom - now owner of VMware - warned its customers of the urgency of updating and published safety instructions; their communication makes it clear that there are no reliable alternative mitigation for this vulnerability, so the update to the parched versions is the recommended action. The supplier's notice is available on its support portal: advice from Broadcom.
The CISA formalized the gravity of the situation by adding CVE-2024-37079 to its catalogue of well-known vulnerabilities, and issued that non-military executive agencies (the Federal Civilian Executive Branch agencies) should protect vulnerable systems before 13 February 2026 in accordance with the binding operational directive BOD 22-01. You can read the CISA action and the requirement in your public statement: CISA alert and the Directive page: BOD 22-01.
The fact that Broadcom confirmed that there are signs of real exploitation in productive environments intensifies the urgency: when a supplier and the national cybersecurity agency agree that a failure is being exploited, the risk goes beyond the mere hypothesis. In addition to applying the official patches (available in the VMware security section: VMware security notices), the operations teams should assume the possibility of prior commitments and respond accordingly.
This is not the first time that virtualization technologies have appeared on the radar by targeted exploitations: in previous months, campaigns have been detected that took advantage of failures in VMware and other Broadcom-related products, which reinforces the idea that attackers consistently point to the virtualized infrastructure management layer. These trends have led CISA to demand rapid remedies on several occasions in recent years.
For managers and security officials, the first inescapable step is to plan and implement the updating of vCenter in controlled windows, testing the patches in non-productive environments before deploying them to production. Since no official temporary solutions for CVE-2024-37079, it is also appropriate to reduce the attack surface as far as possible: isolate vCenter in a separate management network, apply strict firewall rules that limit IP access, and review administrative access controls. It is also prudent to increase monitoring, correlate audit and traffic records in search of abnormal patterns, and prepare incident response procedures in case suspicious activity is detected.
It is important to remember that maintaining verified backup and a clear recovery plan helps to mitigate impacts if an operation would compromise virtual infrastructure. In addition, coordination with suppliers and internal security teams to exchange commitment indicators (IoCs) and lessons learned can accelerate containment and recovery.
The inclusion of this failure in the catalogue of vulnerabilities exploited by real actors and direct order to federal agencies highlight a recurring lesson: in critical infrastructure, management layers are high-value objectives and require constant maintenance and surveillance. If you administer vCenter or depend on services that use it, The window to act is short and the priority should be to apply the official patches and follow the guides of the supplier and the competent authorities.
For more technical details on vulnerability and access to patches, see the above-mentioned official sources: the registration of the CVE in NIST ( CVE-2024-37079), the supplier's notice on Broadcom ( advice from Broadcom) and the communication of CISA ( CISA alert).
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...