Today CISA announced that it had added an out-of-bounds rite vulnerability in the VMware vCenter Server to their Known Exploited Vulnerability (KEV) catalog. The vulnerability was previously disclosed by Broadcom on June 18th, 2024. It was initially reported by Hao Zheng and Zibo Li from TianGong Team of Legendsec. VMware has new versions that mitigate the vulnerability. In November 2025, SentinelOne published (and updated yesterday) a brief report on the vulnerability with proof-of-concept exploit code.
CISA has directed federal agencies using the affected
product to apply “mitigations per vendor instructions, follow applicable BOD
22-01 guidance for cloud services, or discontinue use of the product if
mitigations are unavailable.” A compliance date of February 13th,
2026 has been established.
Posts
No comments:
Post a Comment