October 17 2024 By Pierluigi Paganini
VMware fixes a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager.
VMWare warns to address a remote code execution vulnerability, tracked as CVE-2024-38814 (CVSS score of 8.8), in its HCX application mobility platform.
The vulnerability is an authenticated SQL injection vulnerability in HCX, it was privately reported to VMware by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) through the Trend Micro Zero Day Initiative (ZDI). An authenticated user with non-admin rights could use crafted SQL queries to exploit the flaw and execute unauthorized remote code on the HCX manager.