Broadcom is warning that two critical flaws in VMware vCenter are being actively exploited, although it originally said this was not the case.

Broadcom is updating its advisory for two bugs in VMware vCenter. The errors have been known since September. Originally, Broadcom said that the flaws were not being actively exploited, but now the VMware owner is suggesting that they are. Broadcom is thus increasing the urgency of closing the two vulnerabilities.

CVE-2024-38812 in particular stands out with a CVSS score of 9.8. Broadcom describes this critical error as Heap overflowVulnerability that allows attackers to remotely execute malicious code. CVE-2024-38813 is less critical with a CVSS score of 7.5 and can be exploited to artificially elevate a user’s privileges in vCenters.

Patched twice

As planned, Broadcom deployed a patch for vCenter to coincide with the public announcement on September 17th. However, the first patch proved to be ineffective, which was followed by a second update in October. If you have just installed the September patch or have ignored all warnings so far, you should update vCenter as soon as possible.

Broadcom publishes an overview of all versions of vCenter that are protected against the vulnerabilities. There is no other workaround to close the leaks. Patching is therefore the only remedy. The same note applies to the vulnerabilities discovered in VMware vCenter Server earlier this year.