CVE-2024-38812: Critical RCE Bug in VMware vCenter Server

Broadcom has patched a critical vulnerability in VMware vCenter Server, which could allow attackers to achieve remote code execution (RCE) by exploiting a heap overflow flaw in the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol. The vulnerability allows unauthenticated attackers to send specially crafted network packets to unpatched servers, leading to potential system compromise.

Threat alert
September 19, 2024

Broadcom has patched a critical vulnerability in VMware vCenter Server, which could allow attackers to achieve remote code execution (RCE) by exploiting a heap overflow flaw in the DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol. The vulnerability allows unauthenticated attackers to send specially crafted network packets to unpatched servers, leading to potential system compromise.

VMware vCenter Server is the central management tool for VMware’s vSphere suite, which is widely used in virtualized infrastructure. The vulnerability also affects VMware Cloud Foundation, and there are no available workarounds, making patching essential.  

Vulnerable versions

  • VMware vCenter Server 7.0 and 8.0  
  • VMware Cloud Foundation 4.x  and 5.x    

Mitigation versions

  • vCenter Server 8.0 U3b and 7.0 U3s  
  • VMware Cloud Foundation 5.x (Fixed in 8.0 U3b as an asynchronous patch)  
  • VMware Cloud Foundation 4.x (Fixed in 7.0 U3s as an asynchronous patch)  

For more guidance, please follow the advisory.Additionally, a FAQ can be found here.