VMware vCenter RCE Vulnerability Actively Exploited After Patch Error

• A VMware overflow vulnerability and a high-severity privilege escalation flaw received a faulty patch.
• The two flows were exploited right after the first fixes that arrived on September 17.
• Recent alerts confirmed the active exploitation of both vulnerabilities in VMware vCenter.

Two critical vulnerabilities in VMware vCenter servers, originally identified and patched by Broadcom, have been exploited after the first round of fixes proved inadequate. One is a heap overflow vulnerability, while the other is a high-severity privilege escalation flaw.

CVE-2024-38812 is a critical heap overflow vulnerability linked to the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol. Rated 9.8 out of 10 on the CVSS scale, it allows attackers with network access to execute remote code.

CVE-2024-38813 is a high-severity privilege escalation flaw with a CVSS score of 7.5. It enables attackers with network access to escalate privileges to root.

Broadcom released initial patches on September 17th, which fell short of fully addressing the vulnerabilities. An update was issued in October, at which time Broadcom claimed there was no known exploitation occurring 'in the wild.' However, recent alerts have confirmed the active exploitation of both vulnerabilities.

VMware vCenter is a critical tool for managing virtual machine fleets, often counting thousands. This makes it a prime target for ransomware groups and potential nation-state cybercriminals. Immediate and comprehensive patching of vCenter Server versions 7 and 8, along with VMware Cloud Foundation versions 4 and 5, is imperative to safeguard against potential attacks.

Organizations should prioritize patching to prevent exploitation and limit network access to vCenter servers to authorized personnel only while also implementing monitoring systems to detect suspicious activity related to these vulnerabilities.

In October, VMware patched a high-severity SQL injection vulnerability in the HCX platform that allowed unauthorized low-privilege users to execute remote code on the HCX manager.