Source: www.securityweek.com – Author: Ryan Naraine
VMWare on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform.
The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager.
“A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor.
VMware HCX is an application mobility platform designed to simplify application migration, workload rebalancing, and business continuity across data centers and clouds.
The Broadcom-owned company said the security defect impacts multiple versions of the VMware HCX platform, including versions 4.8.x, 4.9.x, and 4.10.x.
VMware has published instructions on applying the available patches.
The company credited Sina Kheirkhah from SinSinology for reporting the bug through the ZDI bug bounty program.
Related: VMware Patches RCE Flaw Found in Chinese Hacking Contest
Advertisement. Scroll to continue reading.
Related: Exploited Vulnerability Impacts 20k VMware ESXi Instances
Related: Microsoft Says Ransomware Gangs Exploiting VMware ESXi Flaw
Related: VMware Patches Critical SQL-Injection Flaw in Aria Automation
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization’s data security and resilience.
The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
Original Post URL: https://www.securityweek.com/vmware-patches-high-severity-sql-injection-flaw-in-hcx-platform/
Category & Tags: Vulnerabilities,CVE-2024-38814,remote code execution,SQL injection,VMware – Vulnerabilities,CVE-2024-38814,remote code execution,SQL injection,VMware
Views: 3
