Virtual Kill Chain: Why Hackers Are Flocking to This “Critically Unpatched” VMware Flaw

Threat actors persist in exploiting a critical vulnerability within VMware vCenter Server, notwithstanding the fact that the remediating patch was disseminated over a year ago. Broadcom has substantiated that this flaw is currently being leveraged in active incursions, prompting American regulatory bodies to officially incorporate it into their register of actively exploited vulnerabilities.

The vulnerability in question is CVE-2024-37079, an “out-of-bounds write” anomaly residing in the DCERPC protocol implementation within vCenter Server. Boasting a CVSS score of 9.8 out of 10, it is classified as exceptionally perilous. DCERPC facilitates remote procedure calls and network services, essentially empowering one systemic component to execute commands on a disparate node. In this context, the flaw permits an adversary with network access to the virtualization management server to dispatch meticulously crafted packets, thereby achieving Remote Code Execution (RCE).

In simpler terms, any entity with access to the network hosting the vCenter Server possesses the potential to seize total dominion over the virtualization management infrastructure. In a revised security bulletin dated June 18, 2024, Broadcom confirmed evidence of CVE-2024-37079 being exploited “in the wild.” Consequently, the Cybersecurity and Infrastructure Security Agency (CISA) promptly appended the flaw to its Known Exploited Vulnerabilities (KEV) catalog—a definitive compendium of bugs currently weaponized by malicious actors.

Inclusion in the KEV catalog mandates that U.S. federal agencies remediate the flaw by February 13. Paradoxically, while the Broadcom update addressing CVE-2024-37079 has been available for over eighteen months, many organizations have failed to implement it. Neither Broadcom nor CISA has disclosed the specific magnitude of these assaults, and the involvement of ransomware collectives remains “unknown.” Furthermore, there is no definitive intelligence regarding the specific threat actors or the precise tactical scenarios being deployed.

Analysts observe that virtualization infrastructure has long been a focal point for both cybercriminal syndicates and state-sponsored hacking entities. Caitlin Condon, Vice President of Security Research at VulnCheck, noted that a predecessor vulnerability in the DCERPC component, CVE-2023-34048, was exploited by at least three China-affiliated groups: Fire Ant, Warp Panda, and UNC3886.

She posits that the delayed exploitation of documented vulnerabilities is a commonplace phenomenon. Detailed intelligence regarding CVE-2024-37079 has resided in the public domain for over a year, serving as a blueprint for sophisticated adversaries. Condon further emphasizes that vCenter Server should, by definition, never be exposed to the public internet. Thus, the most plausible scenario involves attackers who have already secured an initial foothold within a victim’s architecture, utilizing this vulnerability to facilitate lateral movement and entrench their control within the internal network. This situation underscores a fundamental malaise in cybersecurity: critical vulnerabilities with available remedies remain unpatched for years, eventually succumbing to real-world exploitation that compromises pivotal corporate management systems.