InfoSecBulletin Cybersecurity for mankind
VMware has issued a warning about a remote code execution vulnerability, CVE-2024-38814, with a CVSS score of 8.8, in its HCX application mobility platform.
An authenticated SQL injection vulnerability in HCX was privately reported to VMware by Sina Kheirkhah from the Summoning Team through the Trend Micro Zero Day Initiative. An authenticated user without admin rights could exploit this flaw using crafted SQL queries to execute unauthorized remote code on the HCX manager.
CVSS 10.0 Flaw
Critical flaw in Siemens OZW Web Servers Enable Unauthenticated RCE
Microsoft Patch Tuesday May 2025: 72 flaws, 5 Actively Exploited Zero-Day
OTP glitch disrupted NID services across the country
Google to pay Texas $1.4 billion for location tracking practices
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
“An authenticated SQL injection vulnerability in HCX was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.” reads the advisory published by the virtualization giant. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager.”
VMware HCX is a platform that helps move workloads easily between data centers and clouds. It allows organizations to migrate applications and virtual machines without any downtime.
The vulnerability CVE-2024-38814 affects HCX platform versions 4.8.x, 4.9.x, and 4.10.x. It has been resolved in versions 4.8.3, 4.9.2, and 4.10.1.
