Vumetric is now part of the TELUS family! Learn more →

Critical RCE flaws in vCenter Server fixed (CVE-2024-37079, CVE-2024-37080)

VMware by Broadcom has fixed two critical vulnerabilities affecting VMware vCenter Server and products that contain it: vSphere and Cloud Foundation.

“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution,” the company said, but noted that they are currently not aware of them being exploited “In the wild”.

VMware vCenter Server is a popular server management solution for controlling vSphere environments.

At the same time, VMware has fixed several local privilege escalation vulnerabilities that may arise due to misconfiguration of sudo and may allow an authenticated local user with non-administrative privileges to elevate privileges to root on vCenter Server Appliance.

The three vulnerabilities have been privately reported by security researchers and affect vCenter Server versions 7.0 and 8.0, as well as Cloud Foundation versions 4.x and 5.x. Products that are past their End of General Support dates – i.e., vSphere 6.5 or 6.7 – “Are not evaluated as part of security advisories. If your organization has extended support please use those processes to request assistance,” the company said in an acompanying FAQ document.

“Many appliances, such as the vCenter Server Appliance, have firewalling capabilities accessible through the Virtual Appliance Management Interface. This firewall can be used to help restrict access and potentially help mitigate vulnerabilities.”

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

2024 EDITION

Penetration Testing Buyer's Guide

Everything You Need to Know

Gain full confidence in your future cybersecurity assessments by learning to plan, scope and execute projects.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.