What happened

CISA added CVE-2024-37079 to the Known Exploited Vulnerabilities catalog on 2026-01-23, flagging active exploitation and mandating federal remediation timelines CISA KEV. The vulnerability is an out-of-bounds write in Broadcom VMware vCenter Server’s implementation of the DCERPC protocol, reachable via network-delivered packets NVD detail. The same description is recorded in the authoritative CVE entry, identifying the product and flaw class MITRE CVE.

CISA’s entry states that a malicious actor with network access to vCenter Server can send specially crafted packets to potentially achieve remote code execution CISA KEV. NVD attributes the issue to CWE-787 (Out-of-bounds Write), a memory corruption class frequently associated with control-flow hijack and RCE conditions NVD detail.

CISA directs organizations to apply vendor mitigations or discontinue use if mitigations are unavailable, with a remediation due date of 2026-02-13 for covered entities CISA KEV.

Why it matters

The affected component is VMware vCenter Server, Broadcom’s central management product named explicitly in the CVE record MITRE CVE. An exploitable out-of-bounds write reachable over the network broadens attacker opportunity from adjacent or local vectors to remote targeting via crafted inputs NVD detail. The potential for remote code execution elevates the impact from denial-of-service or crash to full adversary code execution under the vCenter Server context CISA KEV.

CISA’s KEV listing denotes confirmed exploitation in the wild, a strong indicator that opportunistic and targeted campaigns will continue to probe unpatched instances CISA KEV. Because the flaw is in DCERPC handling, attackers can work entirely at the protocol boundary without requiring local access, aligning with the “specially crafted network packets” exploitation model NVD detail.

Technical detail

Per the CVE description, the bug arises from an out-of-bounds write during DCERPC protocol processing inside vCenter Server MITRE CVE. Out-of-bounds writes (CWE-787) occur when code writes past the bounds of a buffer, corrupting adjacent memory and enabling attacker-controlled data to overwrite critical structures NVD detail. In network protocol parsers, such errors are typically triggered by malformed or specially constructed frames that cause miscalculated lengths or improper bounds checks NVD detail.

The observable trigger described is “specially crafted network packets” sent by a remote actor with network access to the vCenter Server interface, which aligns with a protocol-level parsing flaw susceptible to malicious payload shape rather than normal operational traffic CISA KEV. Because the flaw is capable of leading to RCE, a successful exploit could execute arbitrary code within the service process context handling DCERPC NVD detail.

The vulnerability tracking explicitly lists VMware vCenter Server as the impacted product under Broadcom’s stewardship, confirming the affected target surface MITRE CVE. The assignment to CWE-787 provides additional confirmation of the class of memory safety failure involved NVD detail.

Defense

• Prioritize patching per vendor guidance for CVE-2024-37079; CISA mandates mitigation or discontinuation if fixes are unavailable for covered entities CISA KEV.
• Treat unpatched vCenter instances as high risk due to the potential for remote code execution via crafted packets targeting DCERPC handling NVD detail.
• Enforce strict network access controls around vCenter Server while remediation is underway, minimizing exposure to untrusted sources consistent with the remote exploitation vector noted by CISA CISA KEV.
• Validate asset inventory against the affected product listing “VMware vCenter Server” to ensure coverage and verify that patch status aligns with the KEV due date (2026-02-13) for applicable programs MITRE CVE CISA KEV.
• Increase monitoring for anomalous or malformed inputs directed at vCenter network interfaces, reflecting the “specially crafted network packets” exploitation path described in the CVE/NVD record NVD detail.

For federal agencies and organizations aligning to KEV remediation, the CISA catalog entry provides the authoritative timeline and required action language, which should be mapped to change windows immediately CISA KEV.

Lyrie Verdict

This is a network-reachable memory corruption in a management-plane service, with verified in-the-wild exploitation and RCE potential CISA KEV NVD detail. The exploit vector—specially crafted DCERPC packets targeting vCenter’s parser—means detection must operate at machine speed on ingress to the management interface, before payloads translate into process memory writes NVD detail. Lyrie will prioritize autonomous inspection and correlation of anomalous RPC-like request sequences directed at vCenter Server endpoints, elevating any pre-patch deviations consistent with malformed packet structure for immediate containment, aligned to KEV urgency CISA KEV.