VMware fixes a high-severity SQL injection flaw in HCX allowing non-admin users to remotely execute code on the HCX manager.
VMWare warns to address a remote code execution vulnerability, tracked as CVE-2024-38814 (CVSS score of 8.8), in its HCX application mobility platform.
The vulnerability is an authenticated SQL injection vulnerability in HCX, it was privately reported to VMware by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) through the Trend Micro Zero Day Initiative (ZDI). An authenticated user with non-admin rights could use crafted SQL queries to exploit the flaw and execute unauthorized remote code on the HCX manager.
“An authenticated SQL injection vulnerability in HCX was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.” reads the advisory published by the virtualization giant. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager.”
VMware HCX (Hybrid Cloud Extension) is a workload mobility platform designed to simplify the migration, rebalancing, and continuity of workloads across data centers and clouds. It enables organizations to move applications and virtual machines seamlessly between on-premises environments and cloud infrastructures without requiring downtime.
The vulnerability CVE-2024-38814 impacts multiple versions of the HCX platform, including versions 4.8.x, 4.9.x, and 4.10.x. The vulnerability was fixed with versions 4.8.3, 4.9.2, and 4.10.1.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, VMware HCX)