PoC Archive PoC Archive
Critical CVE-2024-37079 patched

VMware vCenter Server DCE/RPC Heap Overflow RCE (CVE-2024-37079)

by Vulnmachines (source repository); VMware/CISA advisory ecosystem · 2026-05-16

CVSS 9.8/10
Severity
Critical
CVE
CVE-2024-37079
Category
network
Affected product
VMware vCenter Server
Affected versions
vCenter Server versions impacted by CVE-2024-37079 prior to VMware June 2024 security updates
Disclosed
2026-05-16
Patch status
patched

Metadata

FieldValue
Date Added2026-05-16
Author / ResearcherVulnmachines (source repository); VMware/CISA advisory ecosystem
CVE / AdvisoryCVE-2024-37079
Categorynetwork
SeverityCritical
CVSS Score9.8 (CVSSv3)
StatusWeaponized
TagsRCE, heap-overflow, DCE/RPC, vCenter, unauthenticated, KEV
RelatedN/A

Affected Target

FieldValue
Software / SystemVMware vCenter Server
Versions AffectedvCenter Server versions impacted by CVE-2024-37079 prior to VMware June 2024 security updates
Language / PlatformVMware vCenter Server Appliance / enterprise virtualization management plane
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2024-37079 is a critical heap overflow condition in a vCenter Server DCE/RPC network-handling path. A crafted network packet can trigger memory corruption pre-authentication and potentially lead to remote code execution. Public reporting indicates patch availability in June 2024 and subsequent inclusion in CISA KEV in January 2026, indicating observed exploitation activity.


Vulnerability Details

Root Cause

The issue is a heap memory corruption flaw in DCE/RPC request processing where malformed packet data can corrupt heap state, enabling control-flow abuse under favorable conditions.

Attack Vector

An unauthenticated attacker with network reachability to exposed vCenter services sends crafted DCE/RPC traffic that exercises the vulnerable parser/handler path.

Impact

  • Unauthenticated remote code execution risk on vCenter Server.
  • Potential compromise of central virtualization management infrastructure.
  • High-value lateral movement opportunity due to vCenter control-plane position.

Environment / Lab Setup

OS:          Isolated lab with vulnerable VMware vCenter Server build
Target:      vCenter Server instance susceptible to CVE-2024-37079
Attacker:    Authorized security testing host with network reachability
Tools:       Packet crafting/fuzzing utilities, network capture, vCenter logs

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Prepare authorized test environment with vulnerable vCenter and monitoring enabled.
  2. Deliver crafted DCE/RPC packet sequence to the reachable vulnerable service endpoint.
  3. Observe crash/memory-corruption indicators and validate potential code execution behavior in controlled conditions.

Exploit Code

No public, reproducible weaponized exploit script for CVE-2024-37079 is archived in the referenced upstream repository.

Expected Output

- Target service instability/crash signatures in vCenter logs
- Memory-corruption indicators during packet processing
- Potential code-execution conditions in controlled exploit-development scenarios

Screenshots / Evidence

  • screenshots/ — add authorized lab captures (packet traces, crash artifacts, debugger evidence)

Detection & Indicators of Compromise

- Unexpected DCE/RPC traffic patterns to vCenter-facing services from untrusted hosts
- vCenter service crashes/restarts tied to malformed RPC requests
- Correlated network + process telemetry suggesting exploit-attempt sequencing

SIEM / IDS Rule (example):

Alert on anomalous or malformed DCE/RPC packet bursts targeting vCenter services,
especially from non-admin network segments.

Remediation

ActionDetail
PatchApply VMware June 2024 security updates that remediate CVE-2024-37079
WorkaroundMinimize exposed management interfaces; restrict DCE/RPC-reachable paths to trusted admin networks
Config HardeningEnforce management-plane segmentation, strict ACLs, and continuous monitoring for malformed RPC traffic

References


Notes

Auto-ingested from https://github.com/Vulnmachines/VmWare-vCenter-vulnerability on 2026-05-16. Source repository content appears focused on older vCenter CVEs; this entry uses the issue-provided CVE-2024-37079 context for classification.

exploit.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python3
"""
POC: vmware-vcenter-dcerpc-heap-overflow-rce
CVE: CVE-2024-37079
Date: 2026-05-16
Description: Placeholder for authorized-lab validation of unauthenticated DCE/RPC heap overflow conditions on vCenter Server.

DISCLAIMER: For authorized security research only.
"""

TARGET = "https://target-vcenter"


def exploit(target: str) -> None:
    raise NotImplementedError(
        "No public weaponized exploit is archived in this repository. "
        "Use controlled lab packet-replay techniques only."
    )


if __name__ == "__main__":
    exploit(TARGET)