VMware by Broadcom has announced the release of software updates to address an already patched security flaw in vCenter Server. The vulnerability spotted concerns a case of heap-overflow vulnerability in the implementation of the DCE/RPC protocol. The company noted that the vCenter patches released on September 17, 2024, did not fully address the CVE vulnerability. The flaw was originally reported at the Matrix Cup cybersecurity competition held in China.
"A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution," Broadcom-owned virtualization services provider said.
Patches for the flaw are available in the below vCenter Server versions -
· 8.0 U3d
· 8.0 U2e, and
· 7.0 U3t
The patch is also available as an asynchronous patch for VMware Cloud Foundation versions 5.x, 5.1.x, and 4.x. There are no known mitigations.
While there is no evidence whether the vulnerability has been ever exploited in the wild, users are advised to update to the latest versions to safeguard against potential threats.
In July 2021, China passed a law that requires vulnerabilities discovered by researchers in the country to be promptly disclosed to the government and the product's manufacturer, raising concerns that it could help nation-state adversaries stockpile zero-days and weaponize them to their advantage.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
