Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom’s first attempt to fix the flaws fell short.

Broadcom first patched the two flaws – CVE-2024-38812 and CVE-2024-38813 – on September 17th, but then issued an October update to the original patches after admitting its initial effort “did not completely address” either vulnerability.

At the time Broadcom issued the second patch for both vCenter holes, the vendor assured customers it was “not currently aware of exploitation ‘in the wild.'”

On Monday, Broadcom published an alert in which it “confirmed that exploitation has occurred in the wild” for both flaws.

The Register has asked Broadcom for info on the extent of the attacks and any intelligence on the perpetrators but have not received a response at the time of writing.

vCenter is a juicy target for crims because it is the tool admins use to manage fleets of virtual machines – and some orgs operate thousands of them. All manner of miscreants therefore love a VMware security hole. In the past we’ve seen ransomware gangs and nation-state crews target VMware flaws, suggesting these fixes deserve urgent attention.

CVE-2024-38812 is a critical heap-overflow vulnerability in the handling of the Distributed Computing Environment/Remote Procedure Calls (DCERPC) protocol that received a 9.8 out of 10 CVSS severity rating. An attacker with network access could exploit this flaw by sending a specially crafted packet, potentially allowing them to remotely execute malicious code on a vulnerable system.

CVE-2024-38813 is a high-severity, 7.5-CVSS rated privilege escalation vulnerability. This one also requires network access to vCenter Server, and assuming an attacker has that, they can exploit the bug to escalate privileges to root.

Both CVEs put versions 7 and 8 of vCenter Server and versions 4 and 5 of VMware Cloud Foundation at risk of exploitation. ®