VMware vCenter Server Vulnerabilities Now Under Active Exploitation

November 18, 2024

Broadcom has issued a warning about the active exploitation of two vulnerabilities in VMware vCenter Server. One of these is a critical remote code execution (RCE) flaw, reported by TZL security researchers during China's 2024 Matrix Cup hacking contest. This vulnerability, tracked as CVE-2024-38812, results from a heap overflow weakness in vCenter's DCE/RPC protocol implementation. It affects products that include vCenter, such as VMware vSphere and VMware Cloud Foundation.

The second vulnerability, CVE-2024-38813, is a privilege escalation flaw. It allows attackers to escalate their privileges to root by using a specially crafted network packet. Broadcom confirmed that both CVE-2024-38812 and CVE-2024-38813 have been exploited in the wild.

In September, Broadcom released security updates to address these vulnerabilities. However, about a month later, it updated the security advisory with a note that the original patch for CVE-2024-38812 had not fully resolved the issue. The company strongly recommended administrators to apply the new patches. There are no workarounds for these security flaws, hence the need for immediate application of the latest updates to prevent active exploitation.

Broadcom also released a supplemental advisory providing additional information on how to deploy the security updates on affected systems. It also covered known issues that could impact those who have already upgraded. In June, Broadcom fixed a similar vCenter Server RCE vulnerability, CVE-2024-37079, which could also be exploited via specially crafted packets.

Threat actors, including ransomware gangs and state-sponsored hacking groups, often target vulnerabilities in VMware vCenter. For instance, in January, Broadcom disclosed that a critical vCenter Server vulnerability, CVE-2023-34048, had been exploited as a zero-day by Chinese state hackers since at least late 2021. This threat group, identified as UNC3886 by security firm Mandiant, used the flaw to deploy VirtualPita and VirtualPie backdoors on ESXi hosts through maliciously crafted vSphere Installation Bundles (VIBs).

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.