Patch or die: VMware vCenter Server bug fixed in 2024 under attack today

You've got to keep your software updated. Some unknown miscreants are exploiting a critical VMware vCenter Server bug more than a year after Broadcom patched the flaw.

The vulnerability, tracked as CVE-2024-37079, is an out-of-bounds write flaw in vCenter Server's implementation of the DCERPC protocol that earned a 9.8 out of 10 CVSS rating. In other words: it's almost as bad as it gets. 

DCERPC, which stands for Distributed Computing Environment/Remote Procedure Calls, allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution, and on Friday, both the vendor and the feds warned that this - or something along these lines - is happening.

"Broadcom has information to suggest that exploitation of CVE-2024-37079 has occurred in the wild ...