VMware has announced the urgent patching of a high-severity SQL injection flaw within its HCX platform. The vulnerability, with a CVSS score of 8.8/10, poses a significant threat as it allows attackers with non-admin privileges to execute remote code on the HCX manager.
The HCX platform, integral for application migration and workload management across cloud and data center environments, is affected in versions 4.8.x through 4.10.x. If exploited, the flaw tracked as CVE-2024-38814 enables a malicious authenticated user to input manipulated SQL queries, permitting unauthorized Remote Code Execution (RCE).
VMware has released detailed patch instructions, emphasizing the critical nature of this update for affected systems. The discovery and report of the bug were attributed to Sina Kheirkhah of SinSinology through the Zero Day Initiative bug bounty program.
Organizations using VMware's HCX platform are advised to apply these patches promptly to mitigate potential security risks.
SQL injection is a type of security vulnerability that allows attackers to interfere with the queries an application makes to its database. By exploiting SQL injection vulnerabilities, malicious actors can gain unauthorized access to sensitive data, such as user information, financial records, or corporate secrets.Â
They may also modify or delete data, resulting in severe operational, legal, and financial consequences for affected organizations. Due to the potential for massive data breaches and system compromise, SQL injection remains one of the most critical threats in the cybersecurity landscape.Â
In August, security experts observed the BlackByte ransomware group exploiting a VMware ESXi authentication bypass vulnerability shortly after its publication using the victim organization’s VPN for initial access in one of the analyzed cases.