VMware reveals critical security bugs, so patch now

This tool works as a centralized platform where users can manage virtualized environments, specifically those running on VMware's vSphere suite. It is often described as a “key element” in enterprise data center management, since it offers a wide variety of features that streamline and automate virtualized infrastructure admin.

The two vulnerabilities are tracked as CVE-2024-37079, and CVE-2024-37080, and both carry a severity score of 9.8 - critical.

No workarounds

“A malicious actor with network access to vCenter Server may trigger these vulnerabilities by sending a specially crafted network packet potentially leading to remote code execution,” VMware explained, urging users to apply the released patches immediately. 

Furthermore, the company explained it investigated “in-product workarounds” and found them lacking, suggesting that applying the patch would be the best way forward.

According to The Register, there is currently no evidence of any in-the-wild exploitation. However, once a company puts vulnerabilities in the spotlight like this, threat actors usually start scanning the internet for vulnerable endpoints. The publication also warns that many organizations still use vSphere versions 6.5 and 6.7, which reached their end-of-life status in October 2022, “but are still widely used”.

VMware has been quite busy this year, issuing patches for high-severity flaws. A month ago, it released patches for four vulnerabilities affecting two of its products, and in early March, it fixed four flaws, including two that could have been used to execute malicious code.

More from TechRadar Pro

• VMware reveals patches for a host of security flaws, so update now
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now