InfoSecBulletin Cybersecurity for mankind
VMware has issued a warning about a remote code execution vulnerability, CVE-2024-38814, with a CVSS score of 8.8, in its HCX application mobility platform.
An authenticated SQL injection vulnerability in HCX was privately reported to VMware by Sina Kheirkhah from the Summoning Team through the Trend Micro Zero Day Initiative. An authenticated user without admin rights could exploit this flaw using crafted SQL queries to execute unauthorized remote code on the HCX manager.
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
PwC exits more than a dozen countries in push to avoid scandals: FT reports
“An authenticated SQL injection vulnerability in HCX was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.” reads the advisory published by the virtualization giant. “A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager.”
VMware HCX is a platform that helps move workloads easily between data centers and clouds. It allows organizations to migrate applications and virtual machines without any downtime.
The vulnerability CVE-2024-38814 affects HCX platform versions 4.8.x, 4.9.x, and 4.10.x. It has been resolved in versions 4.8.3, 4.9.2, and 4.10.1.
