A patch is available for vCenter Server and Cloud Foundation to close the vulnerability. The message is to patch now.

VMware, part of Broadcom, has shared two critical vulnerabilities with the world: CVE-2024-37079 and CVE-2024-37080. In terms of severity, both have a rating of 9.8 out of 10. The flaws are in Cloud Foundation and vSphere.

In its report, the manufacturer describes both vulnerabilities as “heap overflow vulnerabilities in the implementation of the DCE/RPC protocol.” Specifically, “an attacker with network access to vCenter Server could activate these vulnerabilities by sending a specially crafted network packet that could potentially lead to remote code execution.”

DCE/RPC is a technique that makes a remote computer behave like a local computer. The fact that a hacker could potentially inject code into vCenter Server to gain control of virtual machines is not so interesting.

Fortunately, a patch for vCenter Server and Cloud Foundation is available today that fixes both critical vulnerabilities. Updating to the latest version will once again ensure a more secure IT environment.

The only downside: According to The Register, VMware seems unsure how severe the impact will be on older versions. The popular versions 6.5 and 6.7, which have been out of support since October, could potentially pose a threat to the IT environment.

For more information, see VMware’s full report here. The vendor is currently not aware of any exploitation “in the wild.”