tenable:207464 · VMware vCenter Server 7.x < 7.0 U3t / 8.x < 8.0.3 U3d Multiple...

01 · The Real Story

This is a master-key flaw on the locked management hallway, not the front lobby

Tenable plugin 207464 maps to Broadcom advisory VMSA-2024-0019 and really means two bugs in VMware vCenter Server: CVE-2024-38812, an unauthenticated DCERPC heap overflow that can lead to remote code execution, and CVE-2024-38813, a privilege-escalation flaw that can push access to root. Affected versions are vCenter 7.0 before 7.0 U3t and vCenter 8.0 before the fixed trains 8.0 U2e or 8.0 U3d; the concrete safe builds are 7.0.3.02200 build 24322018, 8.0.2.00500 build 24321653, and 8.0.3.00400 build 24322831.

Vendor CRITICAL is technically defensible for the RCE half, but it slightly overstates real-world population risk because exploitation is only possible where an attacker can actually talk to vCenter's management/DCERPC surface. That reachability requirement is real friction in mature enterprises, so this lands as HIGH, not CRITICAL; the score stays near the ceiling because the issue is unauthenticated, KEV-listed, actively exploited, and hits the virtualization control plane.

"Crown-jewel HIGH: reachability trims the population, but reachable vCenter means one bug away from estate-wide pain."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable vCenter

The attacker uses Masscan, Nmap, or exposed-asset search to identify vCenter by /ui or :5480, then confirms the host is on a vulnerable build. Shadowserver explicitly notes its HTTP-side detection is version-based and separately tags systems where the DCERPC service is exposed, which is the difference between 'old version' and 'actually reachable exploit path.'

Conditions required:

Network path to the vCenter management plane
vCenter running a vulnerable 7.0 or 8.0 build
DCERPC-relevant service reachable from the attacker's position

Where this breaks in practice:

Many enterprises keep vCenter off the public internet and behind jump hosts or management VLANs
A version-only finding does not prove the exploitable DCERPC path is exposed from the attacker vantage point
ZTNA, VPN segmentation, and ACLs commonly reduce reachable population

Detection/coverage: Strong scanner coverage. Nessus plugin 207464 is version-based; Shadowserver reports cve-2024-38812 and adds vcenter-dcerpc-exposed when the exploitable service is also reachable.

STEP 02

Trigger CVE-2024-38812 for pre-auth code execution

Using a crafted network packet against the vulnerable DCERPC implementation, the attacker attempts to corrupt heap state and gain execution in the vCenter context. Public discussion, GitHub references, and later conference research lowered the barrier after disclosure, and the CVE is now in KEV, so this is no longer a theoretical parser bug.

Conditions required:

No authentication required
Accurate packet delivery to the vulnerable service
Target not already patched to 7.0 U3t, 8.0 U2e, or 8.0 U3d or later

Where this breaks in practice:

Exploit reliability on memory-corruption bugs is never as universal as the CVSS math implies
Some environments expose the web UI but not the necessary service path to the attacker
Network IDS/IPS or management-plane filtering can break direct reachability

Detection/coverage: Version-based scanners are good; exploit-attempt detection is weaker. Network telemetry around unusual traffic into vCenter management interfaces and DCERPC exposure helps, but many environments have sparse east-west visibility.

STEP 03

Use CVE-2024-38813 or local follow-on to get root

If the initial foothold is constrained, the attacker can chain the privilege-escalation path or use local tradecraft to move to root on the appliance. Broadcom confirmed in-the-wild exploitation for CVE-2024-38813, which matters because root on vCenter is not just a single-host problem; it is control-plane ownership.

Conditions required:

Initial code execution or equivalent network-triggerable path
Vulnerable build still present
Ability to interact with local services or privileged components

Where this breaks in practice:

This step assumes the attacker already reached the management plane or landed code locally
EDR on appliance-like infrastructure is often absent, but hardened bastion access can still reduce attacker options

Detection/coverage: Host-side visibility is usually weak on vCenter appliances. Look for anomalous root-level process starts, unexpected file writes, service restarts, and new outbound connections from the appliance.

STEP 04

Exploit the control plane, not just the box

With root or equivalent control on vCenter, the attacker can pivot into the virtualization estate using native tooling like govc, vSphere APIs, guest operations, snapshots, credentials, and inventory access. This is why the blast radius is so severe: compromise of one management node can cascade to many ESXi hosts and VMs.

Conditions required:

Administrative or root-level control of vCenter
Managed ESXi hosts and VM inventory attached to that vCenter
No compensating segmentation between vCenter and the rest of the estate

Where this breaks in practice:

RBAC, separate management domains, and limited linked-mode scope can reduce tenant or cluster blast radius
Operational monitoring may catch disruptive post-exploitation like mass snapshots or VM tampering

Detection/coverage: SIEM and vCenter audit logs can show anomalous API calls, privilege changes, VM operations, content library abuse, and unusual host management actions.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Confirmed exploited. Broadcom states exploitation occurred in the wild for `CVE-2024-38813`; NVD shows both `CVE-2024-38812` and `CVE-2024-38813` in CISA KEV.
KEV status and dates	KEV-listed on 2024-11-20 for both CVEs; NVD reflects CISA due date `2024-12-11` for federal remediation.
Proof-of-concept availability	Public barrier is lowered. GitHub references for `CVE-2024-38812` exist in CVE aggregation sources, and Broadcom credits `zbl` and `srs` of team TZL from the 2024 Matrix Cup for discovery. Black Hat Asia 2025 research further documented the bug class and exploitation path.
EPSS	`CVE-2024-38812` shows EPSS ~77.9% in Tenable's CVE page; `CVE-2024-38813` is commonly tracked around 29.5%-31% in multiple vulnerability databases. Translation: the RCE half is in the 'expect real attacker attention' bucket.
CVSS reality check	`CVE-2024-38812` is 9.8 with `AV:N/AC:L/PR:N/UI:N` and that matches reality well enough. `CVE-2024-38813` is where nuance matters: VMware scores it 7.5 with `AC:H/PR:L`, while NVD inflates it to 9.8; for defenders, VMware's vector is the more believable operational read.
Affected versions	All vCenter `7.0` before `7.0 U3t` and all vCenter `8.0` before `8.0 U2e` or `8.0 U3d`. Tenable plugin `207464` flags `7.x < 7.0 U3t` and `8.x < 8.0 U3d`.
Fixed versions	Use the corrected October 21, 2024 builds, not the incomplete September fix. Safe anchors: `7.0 U3t` build `24322018`, `8.0 U2e` build `24321653`, `8.0 U3d` build `24322831`.
Scanning and exposure data	Exposure is narrower than raw CVSS suggests. Shadowserver says patch status can be seen over HTTP, but actual exploitation requires the DCERPC service to be exposed and it separately tags those hosts as `vcenter-dcerpc-exposed`. Censys likewise warns exposed `/ui` and `:5480` assets likely indicate vCenter components worth triaging.
Disclosure timeline	Disclosed 2024-09-17; advisory updated 2024-10-21. The update matters because Broadcom says the September 17 patch did not fully address `CVE-2024-38812`.
Reporting researcher / org	Reported by `zbl` and `srs` of team TZL working with the 2024 Matrix Cup contest, per Broadcom acknowledgment.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.9/10)

The single biggest reason this is HIGH instead of CRITICAL is reachability: the exploit path matters only where attackers can actually reach vCenter's management/DCERPC surface, and many enterprises intentionally keep that plane segmented. It still stays near the top of HIGH because no authentication is needed for the primary RCE and compromise lands directly on the virtualization control plane, where blast radius is far beyond one appliance.

HIGH Affected version and fixed-build mapping

HIGH Active exploitation / KEV status

MEDIUM How often the exploitable DCERPC path is reachable in real enterprise layouts

Why this verdict

Start at vendor 9.8 because CVE-2024-38812 is unauthenticated network RCE on a crown-jewel management server.
Adjust downward for attacker position because the bug is only valuable where the attacker can reach vCenter's management plane and, in practice, the relevant DCERPC service. That usually implies internet exposure or post-initial-access movement into admin or management segments, which shrinks the reachable population versus true edge software.
Adjust upward again for exploitation evidence and blast radius because both CVEs hit KEV on 2024-11-20, Broadcom confirmed in-the-wild exploitation for CVE-2024-38813, and owning vCenter means owning the orchestration layer for many ESXi hosts and VMs.

Why not higher?

This is not a universal internet worm problem. Many enterprises keep vCenter off the public internet, restrict it to jump hosts, and will be flagged by version-based scanning even when the exact exploitable DCERPC path is not broadly reachable. That real-world reachability friction is enough to keep it out of CRITICAL.

Why not lower?

Once reachable, the primary flaw needs no authentication and the impact is not 'one server down' but potential compromise of the virtualization control plane. KEV status and confirmed in-the-wild exploitation remove any comfort that this is just a hard-to-use lab bug.

05 · Compensating Control

What to do — in priority order.

Restrict vCenter reachability now — Limit 443, 5480, and any management/DCERPC-relevant paths to dedicated admin jump hosts and management networks only. Because this issue is KEV-listed, apply this immediately, within hours, not on the normal HIGH cadence.
Block direct internet exposure — If any vCenter UI or VAMI is externally reachable, remove it from direct internet access and force administration through VPN plus bastion or ZTNA. For this KEV case, do it immediately, within hours.
Monitor vCenter for abnormal API and root activity — Push vCenter audit logs, shell logs, and network telemetry into SIEM and alert on unusual VM operations, privilege changes, new services, and unexpected outbound connections from the appliance. Stand this up immediately, within hours where patching cannot be completed at once.
Validate the October 21 fixed build — Do not assume the September 17 patch closed the hole; Broadcom explicitly said it was incomplete for CVE-2024-38812. Confirm each appliance is on 7.0 U3t, 8.0 U2e, 8.0 U3d, or later immediately, within hours.

What doesn't work

A WAF in front of /ui alone does not solve this, because the issue is in vCenter's DCERPC implementation and reachability may bypass simple HTTP-focused controls.
MFA on vSphere admins helps for account abuse but not for the unauthenticated RCE portion of CVE-2024-38812.
Version-only 'patched in September' assumptions are dangerous here because Broadcom later stated that the September 17 fix did not fully address CVE-2024-38812.

06 · Verification

Crowdsourced verification payload.

Run this on each vCenter Server Appliance over SSH as root or an account with shell access to execute vpxd -v. Save it as check_vmsa_2024_0019.sh, then run bash check_vmsa_2024_0019.sh; it needs local shell access but no internet connectivity.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_vmsa_2024_0019.sh
# Detects whether a VMware vCenter Server Appliance is vulnerable to VMSA-2024-0019
# Covers CVE-2024-38812 / CVE-2024-38813 fixed in:
#   7.0 U3t  -> 7.0.3.02200 build 24322018
#   8.0 U2e  -> 8.0.2.00500 build 24321653
#   8.0 U3d  -> 8.0.3.00400 build 24322831
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

SAFE_BUILD_7_0_U3T=24322018
SAFE_BUILD_8_0_U2E=24321653
SAFE_BUILD_8_0_U3D=24322831

get_version_output() {
  if command -v vpxd >/dev/null 2>&1; then
    vpxd -v 2>/dev/null | head -n 1
    return 0
  fi

  if [[ -r /var/log/vmware/vpxd/vpxd.log ]]; then
    grep -m1 -E 'VMware VirtualCenter|build-' /var/log/vmware/vpxd/vpxd.log 2>/dev/null
    return 0
  fi

  return 1
}

parse_version() {
  local line="$1"
  VERSION=$(echo "$line" | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
  BUILD=$(echo "$line" | grep -Eo 'build-?[0-9]+' | grep -Eo '[0-9]+' | head -n1)
}

version_ge() {
  # returns 0 if $1 >= $2
  local a="$1" b="$2"
  local IFS=.
  local i
  read -r -a va <<< "$a"
  read -r -a vb <<< "$b"
  for ((i=${#va[@]}; i<3; i++)); do va[i]=0; done
  for ((i=${#vb[@]}; i<3; i++)); do vb[i]=0; done
  for i in 0 1 2; do
    if ((10#${va[i]} > 10#${vb[i]})); then return 0; fi
    if ((10#${va[i]} < 10#${vb[i]})); then return 1; fi
  done
  return 0
}

line="$(get_version_output)"
if [[ -z "${line:-}" ]]; then
  echo "UNKNOWN: could not determine vCenter version/build (vpxd unavailable)"
  exit 2
fi

parse_version "$line"
if [[ -z "${VERSION:-}" || -z "${BUILD:-}" ]]; then
  echo "UNKNOWN: unable to parse version/build from: $line"
  exit 2
fi

major_minor=$(echo "$VERSION" | awk -F. '{print $1"."$2}')

echo "Detected version=$VERSION build=$BUILD"

case "$major_minor" in
  7.0)
    # Future 7.0.4+ style versions do not exist for vCenter; build threshold is safest.
    if (( BUILD >= SAFE_BUILD_7_0_U3T )); then
      echo "PATCHED"
      exit 0
    else
      echo "VULNERABLE"
      exit 1
    fi
    ;;
  8.0)
    # First handle clearly newer minor/update trains.
    if version_ge "$VERSION" "8.0.4"; then
      echo "PATCHED"
      exit 0
    fi

    if version_ge "$VERSION" "8.0.3"; then
      if (( BUILD >= SAFE_BUILD_8_0_U3D )); then
        echo "PATCHED"
        exit 0
      else
        echo "VULNERABLE"
        exit 1
      fi
    fi

    if version_ge "$VERSION" "8.0.2"; then
      if (( BUILD >= SAFE_BUILD_8_0_U2E )); then
        echo "PATCHED"
        exit 0
      else
        echo "VULNERABLE"
        exit 1
      fi
    fi

    echo "VULNERABLE"
    exit 1
    ;;
  *)
    echo "UNKNOWN: unsupported or unexpected vCenter version family '$major_minor'"
    exit 2
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat every Tenable 207464 hit as a management-plane emergency, but triage by reachability first: identify all vCenter instances, confirm whether the DCERPC-relevant path is reachable from anything outside tightly controlled admin networks, and for any reachable system patch / mitigate immediately, within hours because KEV and active exploitation override the normal noisgate mitigation SLA. For the formal patch program this is still a HIGH finding, so the noisgate remediation SLA is <=180 days, but do not consume that window on exposed or broadly reachable vCenter; move those to same-day or next-change execution and make sure the appliance is on the corrected October 21, 2024 builds, not the incomplete September 17, 2024 fix.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.