.svg){kind=spacer}
February 11, 2026
CISA says a critical remote code execution (RCE) bug in VMware vCenter Server is now being actively exploited in the wild. The flaw, CVE-2024-37079, is a heap overflow in vCenter’s DCERPC implementation, and an attacker who can reach the vCenter service over the network may be able to trigger RCE with a specially crafted packet—no user interaction and no prior privileges required. The issue was patched back in June 2024, but CISA’s alert indicates real attackers are now taking advantage of systems that weren’t updated.
Because of active exploitation, CISA added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. federal civilian agencies to fix affected systems within three weeks (by February 13, 2026). Broadcom (VMware) also updated its advisory to acknowledge it has information suggesting exploitation has occurred, and it notes there are no workarounds or mitigations—the practical response is to patch vCenter Server/Cloud Foundation to the latest fixed versions immediately (and, operationally, ensure vCenter is not unnecessarily exposed and is tightly restricted to trusted management networks).
