VMware fixes critical vCenter RCE vulnerability, patch now

VMware released security updates for vCenter Server addressing three vulnerabilities — CVE-2024-37079 and CVE-2024-37080 (critical heap-overflow flaws in the DCERPC implementation allowing potential remote code execution, CVSS 9.8) and CVE-2024-37081 (a sudo misconfiguration enabling local privilege escalation to root, CVSS 7.8). Affected products include vCenter Server 7.0/8.0 and VMware Cloud Foundation 4.x/5.x; patches are available (vCenter Server 8.0 U2d/8.0 U1e/7.0 U3r and KB88287 for Cloud Foundation). VMware reports no detected active exploitation to date and recommends applying updates promptly since there are no viable in-product mitigations.