9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
Low
0.044 Low
EPSS
Percentile
92.4%
VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution.
The list of vulnerabilities is as follows -
This is not the first time VMware has addressed shortcomings in the implementation of the DCE/RPC protocol. In October 2023, the Broadcom-owned virtualization services provider patched another critical security hole (CVE-2023-34048, CVSS score: 9.8) that could also be abused to execute arbitrary code remotely.
Chinese cybersecurity company QiAnXin LegendSec researchers Hao Zheng and Zibo Li have been credited with discovering and reporting CVE-2024-37079 and CVE-2024-37080. The discovery of CVE-2024-37081 has been credited to Matei “Mal” Badanoiu at Deloitte Romania.
All three issues, which affect vCenter Server versions 7.0 and 8.0, have been addressed in versions 7.0 U3r, 8.0 U1e, and 8.0 U2d.
While there are no known reports of any of the vulnerabilities being actively exploited in the wild, it’s essential that users move quickly to apply the patches in light of their criticality.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
Low
0.044 Low
EPSS
Percentile
92.4%