• Vulnerable U
  • Posts
  • VMware Confirms Exploitation of vCenter Server Bugs

VMware Confirms Exploitation of vCenter Server Bugs

VMware said threat actors are now exploiting previously disclosed flaws (CVE-2024-38812 and CVE-2024-38813) in vCenter Server.

Author

Newsroom
November 18, 2024

VMware on Monday said that threat actors are now exploiting previously disclosed security vulnerabilities (CVE-2024-38812 and CVE-2024-38813) in vCenter Server, its application to help users centrally manage their vSphere infrastructure. 

The flaws were first disclosed at the 2024 Matrix Cup Chinese hacking competition in June, and were discovered by security researchers with Team TZL, according to VMware in its initial security advisory on Sept. 17, which included fixes for the flaws. 

Key Details:

  • VMware updated its security advisory to confirm that exploitation has occurred for CVE-2024-38812 and CVE-2024-38813, but did not disclose further details about the exploitation activity, including timeline, the extent of the campaigns and more

  • CVE-2024-38812 is a heap-overflow bug in vCenter Server, which stems from the implementation of the DCE/RPC protocol and has a CVSS score of 9.8 out of 10

  • CVE-2024-38813 is a privilege escalation flaw in vCenter Server, which has a CVSS score of 7.5 out of 10 

Why It Matters: The bugs can enable remote code execution and privilege escalation, and VMware said the issues qualify “as an emergency change, requiring prompt action from your organization.”

For CVE-2024-38812, VMware said that “a malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.” Meanwhile, for CVE-2024-38813, “a malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet,” according to the advisory.

Notably, VMware has previously struggled with patching the issue in vCenter Server. On Oct. 21, the company updated its advisory for CVE-2024-38812, acknowledging that its Sept. 17 patches did not fully address the issue and urging companies to apply new fixes.

The Big Picture: VMware said that vCenter and products that contain vCenter, including VMware vSphere and VMware Cloud Foundation, are impacted. There are no workarounds provided by VMware, and customers should update to the fixed versions outlined in the security advisory as soon as possible. It is particularly important to update now because the flaws are being exploited, and threat actors have previously targeted VMware vCenter Server vulnerabilities.