Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Patches High-Severity SQL Injection Flaw in HCX Platform

VMware patches CVE-2024-38814 and warns that attackers with non-administrator privileges can execute remote code on the HCX manager.

VMware vulnerability

VMWare on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform.

The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager.

“A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor.

VMware HCX is an application mobility platform designed to simplify application migration, workload rebalancing, and business continuity across data centers and clouds.

The Broadcom-owned company said the security defect impacts multiple versions of the VMware HCX platform, including versions 4.8.x, 4.9.x, and 4.10.x. 

VMware has published instructions on applying the available patches.

The company credited Sina Kheirkhah from SinSinology for reporting the bug through the ZDI bug bounty program.

Related: VMware Patches RCE Flaw Found in Chinese Hacking Contest

Advertisement. Scroll to continue reading.

Related: Exploited Vulnerability Impacts 20k VMware ESXi Instances

Related: Microsoft Says Ransomware Gangs Exploiting VMware ESXi Flaw

Related: VMware Patches Critical SQL-Injection Flaw in Aria Automation 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.