HighPublic exploit

Local Privilege Escalation in VMware vCenter Server Appliance via sudo Misconfiguration

IdentifiersCVE-2024-37081CWE-266

CVE-2024-37081 is a local privilege escalation vulnerability affecting VMware vCenter Server Appliance (VCSA). According to the provided content, the issue is caused by multiple misconfigurations of sudo in vCenter Server. An authenticated local user with non-administrative privileges can exploit these sudo configuration flaws to elevate privileges to root on the appliance. The vulnerability is covered by VMware security advisory VMSA-2024-0012 and is distinct from the advisory’s separate remote DCE/RPC heap overflow issues (CVE-2024-37079 and CVE-2024-37080).

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated low-privilege user to obtain root privileges on the vCenter Server Appliance. Root compromise of VCSA can result in full control over the appliance, including the ability to modify system configuration, access sensitive management data, interfere with vCenter services, and potentially leverage control of the vCenter management plane for broader administrative impact in the virtualized environment.

Mitigation

If you can’t patch tonight, do this now.

The provided content states there are no official workarounds for this advisory. As compensating controls, organizations may restrict access to the vCenter Server Appliance, minimize or eliminate local shell access for non-administrative users, tightly control SSH and console access, and use the VCSA firewall accessible through VAMI to restrict exposure where applicable. Additional hardening should focus on limiting the ability for low-privilege users to obtain local authenticated access to the appliance until patches are applied.

Remediation

Patch, then assume compromise.

Apply the fixed VMware vCenter Server updates referenced in VMware Security Advisory VMSA-2024-0012. The provided content states VMware advised customers to install one of the patch versions listed in the advisory to be fully protected, and that patch releases are cumulative. For VMware Cloud Foundation deployments that bundle vulnerable vCenter components, apply the corresponding asynchronous patch guidance from VMware/Broadcom.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2024-37081MaturityPoCVerified exploit

This repository provides a proof-of-concept (PoC) exploit for CVE-2024-37081, a local privilege escalation vulnerability in VMware vCenter due to improper configuration of the /etc/sudoers file. The repository contains two files: a README.md with detailed vulnerability and usage information, and poc.py, a Python script that demonstrates the exploit. The script creates a malicious Python module in /tmp/malicious/__init__.py, sets environment variables (PYTHONPATH, VMWARE_PYTHON_PATH, VMWARE_PYTHON_BIN) to point to malicious code or scripts, and uses sudo to execute commands as privileged users (operator, pod, admin, vpxd). It attempts to execute arbitrary code as root (demonstrated by writing the output of 'id' to /tmp/pwned) and to read sensitive files like /etc/shadow. The exploit is a local privilege escalation PoC and requires sudo access and a vulnerable sudoers configuration. No network endpoints are involved; all actions are performed locally on the target system.

Mr-r00t11Disclosed Jul 9, 2024pythonlocal

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

BroadcomCloud Foundationapplication

BroadcomVcenter Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Jan 27, 2026

Critical VMware VCenter Server Flaw CVE-2024-37079

Local privilege escalation vulnerability in VMware vCenter Server due to sudo misconfiguration, requiring local authenticated access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2024-37081

NVD

nvd.nist.gov/vuln/detail/CVE-2024-37081

MITRE CWE · CWE-266

cwe.mitre.org

Vendor Advisory

support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453