Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft

Broadcom/VMware released patches for three vCenter vulnerabilities: two critical DCERPC heap-overflow flaws (CVE-2024-37079, CVE-2024-37080) enabling remote code execution (CVSS 9.8) and a high-severity local privilege escalation via sudo misconfiguration (CVE-2024-37081, CVSS 7.8). The advisory stresses immediate patching given vCenter’s central role in managing large VM estates and the broad potential impact, though there is currently no evidence these bugs have been exploited in the wild.