Critical RCE Vulnerability in VMware vCenter Server Already Exploited in Attacks

413/67 Wednesday, November 20, 2024

Broadcom has issued a warning about two vulnerabilities in VMware vCenter Server that are being actively exploited by attackers. One of the vulnerabilities, identified as CVE-2024-38812, is a critical remote code execution (RCE) flaw discovered by TZL security researchers during the “Matrix Cup 2024” hacking competition in China. The issue stems from a heap overflow in the DCE/RPC protocol of vCenter, affecting products such as VMware vSphere and VMware Cloud Foundation.

The second exploited vulnerability, CVE-2024-38813, involves privilege escalation, allowing attackers to gain root-level access through specially crafted network packets.

Broadcom confirmed that both vulnerabilities (CVE-2024-38812 and CVE-2024-38813) have been exploited in real-world attacks. While the company issued security updates to address these issues in September, it was later discovered that the patch for CVE-2024-38812 was incomplete. Administrators are strongly urged to apply the latest patches immediately, as no temporary workarounds are available for this vulnerability. Broadcom has also provided additional guidance on updating systems and potential issues post-update.

State-sponsored hacking groups and ransomware operators frequently target VMware vCenter vulnerabilities. For instance, earlier this year, Broadcom revealed that a Chinese hacking group had been exploiting the vCenter Zero-Day vulnerability CVE-2023-34048 since late 2021. This flaw was used to deploy the VirtualPita and VirtualPie malware on ESXi servers.

Source  https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/