CISA Flags VMware vCenter RCE Flaw CVE-2024-37079 as Actively Exploited
CISA added CVE-2024-37079, a critical heap-overflow flaw in Broadcom VMware vCenter Server, to the KEV catalog after evidence of active exploitation; Broadcom patched CVE-2024-37079 (and CVE-2024-37080) in June 2024, with researchers Hao Zheng and Zibo Li linking related DCE/RPC flaws; a Black Hat Asia 2025 presentation notes two additional CVEs (CVE-2024-38812/38813) patched later, and federal agencies must upgrade to the latest version by Feb 13, 2026 to stay protected.