Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in Ivanti Cloud Services Application (CSA) and VMware vCenter Server products, exposing enterprise management platforms to remote compromise. Ivanti said CSA 5.0.2 and earlier contain three flaws—CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated CVSS 10.0. Ivanti released fixes in CSA 5.0.3 and urged customers to update immediately.
VMware also disclosed two vulnerabilities affecting vCenter Server and VMware Cloud Foundation: CVE-2024-38812, a heap overflow that can allow arbitrary code execution, and CVE-2024-38813, which can enable privilege escalation to root. The flaws affect vCenter Server 7.0 and 8.0 as well as VMware Cloud Foundation 4.x and 5.x, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Timeline
Dec 11, 2024
Ivanti fixes critical CSA vulnerabilities in version 5.0.3
Ivanti disclosed three critical vulnerabilities in Cloud Services Application (CSA) admin console components: CVE-2024-11639, CVE-2024-11772, and CVE-2024-11773. The issues could allow authentication bypass, remote code execution, and arbitrary SQL execution, and were fixed in CSA version 5.0.3; Ivanti said it had not observed exploitation at the time of notice.
Sep 18, 2024
VMware discloses critical vCenter Server vulnerabilities and fixes
Broadcom/VMware disclosed CVE-2024-38812 and CVE-2024-38813 affecting VMware vCenter Server 7.0/8.0 and VMware Cloud Foundation 4.x/5.x. The flaws could enable remote code execution and privilege escalation, and customers were advised to update to fixed versions; no active exploitation was known at the time.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
CISA Flags Actively Exploited VMware vCenter Server RCE (CVE-2024-37079)
**CISA added CVE-2024-37079, a critical VMware vCenter Server vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after Broadcom indicated it has evidence of in-the-wild exploitation.** The flaw is a **9.8 CVSS** out-of-bounds write/heap-overflow issue in vCenter Server’s **DCERPC** implementation; an attacker with network access can send specially crafted packets that may result in **remote code execution (RCE)**. CISA’s KEV entry does not attribute exploitation to a specific threat actor and lists ransomware use as **unknown**, but the KEV addition triggers mandatory remediation timelines for US federal agencies. Reporting also noted CISA added multiple other enterprise software issues to KEV in a short span (including vulnerabilities affecting **Versa Concerto** and **Zimbra**, plus developer tools), but the vCenter Server item drew specific attention because it was **patched by Broadcom in 2024** and is still being exploited. Broadcom has not publicly provided details on the scope, victims, or exploitation chain beyond acknowledging observed exploitation, reinforcing the need for organizations running vCenter Server to validate exposure and ensure the relevant updates are deployed.
1 months ago
Active Exploitation of Critical RCE Vulnerabilities in Enterprise Infrastructure (Cisco UC and VMware vCenter)
Reports warn of **in-the-wild exploitation** of critical remote code execution vulnerabilities affecting widely deployed enterprise infrastructure. One report describes a purported Cisco Unified Communications zero-day, **CVE-2024-20253**, impacting *Cisco Unified Communications Manager (Unified CM)*, *Cisco Unity Connection*, and *Webex Calling Dedicated Instance*, and claims it enables **unauthenticated command execution** via the web management interface, creating risk of full system compromise and rapid opportunistic scanning of internet-exposed instances. Separately, **CISA added Broadcom VMware vCenter Server CVE-2024-37079** (CVSS 9.8) to the **Known Exploited Vulnerabilities (KEV)** catalog based on evidence of exploitation; the issue is described as a **DCE/RPC heap overflow** that can lead to RCE via specially crafted network packets, and Broadcom updated its advisory to acknowledge observed exploitation. A third item (Rapid7’s Metasploit wrap-up) is not about either of these active-exploitation advisories; it covers new Metasploit modules for unrelated vulnerabilities (e.g., Oracle E-Business Suite **CVE-2025-61882** and Splunk issues), which may increase general exploitation capability but does not substantively corroborate the Cisco or VMware events.
1 months ago
Broadcom Patches VMware Aria Operations Flaws Enabling RCE During Support-Assisted Migrations
Broadcom issued advisory **VMSA-2026-0001** for **VMware Aria Operations** (formerly *vRealize Operations*), warning of three vulnerabilities affecting Aria Operations and bundled platforms including **VMware Cloud Foundation** and **VMware Telco Cloud**. The most severe issue, **CVE-2026-22719** (CVSS 8.1), is a **command injection** flaw that can be exploited by an **unauthenticated** attacker to execute arbitrary commands and potentially achieve **remote code execution** specifically **while a support-assisted product migration is in progress**. Broadcom released patches and also documented a workaround for CVE-2026-22719 in its response matrix/KB guidance. The advisory also covers **CVE-2026-22720** (CVSS 8.0), a **stored XSS** issue where a user with privileges to create custom benchmarks can inject script to perform administrative actions, and **CVE-2026-22721** (CVSS 6.2), a **privilege escalation** path where a user with vCenter access to Aria Operations can elevate to administrative control. Researchers **Sven Nobis** and **Lorin Lehawany** of **ERNW** were credited with reporting at least part of the findings. Impacted deployments include Aria Operations 8.x and related bundles across Cloud Foundation and Telco Cloud product lines; Broadcom’s fixed versions include updates such as Aria Operations **8.18.6** and Cloud Foundation **9.0.2.0**, and organizations are advised to prioritize upgrades due to the lack of workarounds for the XSS and privilege-escalation issues.
1 months ago