VMware HCX Vulnerability Let Attackers Inject Malicious SQL Queries

VMware has disclosed a critical security vulnerability in its HCX platform, a key component for hybrid cloud extension solutions.

The flaw, identified as CVE-2024-38814, allows authenticated users with non-administrator privileges to perform SQL injection attacks, potentially leading to unauthorized remote code execution on the HCX manager.

The vulnerability affects multiple versions of VMware HCX, including 4.8.x, 4.9.x, and 4.10.x. With a CVSSv3 base score of 8.8, this high-severity issue poses a significant risk to organizations using the affected versions.

Successful exploitation of this vulnerability could enable attackers to compromise the confidentiality, integrity, and availability of the affected system.

The potential consequences are severe, ranging from data theft and system manipulation to service disruption.VMware has released patches to address the vulnerability:

  • VMware HCX 4.10.x: Fixed in version 4.10.1
  • VMware HCX 4.9.x: Fixed in version 4.9.2
  • VMware HCX 4.8.x: Fixed in version 4.8.3

Security experts strongly advise administrators to apply these patches immediately, as there are no known workarounds for this vulnerability.

Additionally, organizations should implement strong access controls, monitor user activities, and use input validation and parameterized queries to prevent SQL injection attacks.

Sina Kheirkhah of the Summoning Team, working with Trend Micro Zero Day Initiative (ZDI), privately reported the vulnerability to VMware.

While there is currently no evidence of public proof-of-concept or active exploitation, the high severity rating underscores the urgency of addressing this issue.

As organizations increasingly rely on hybrid cloud solutions, vulnerabilities in platforms like VMware HCX can have far-reaching consequences.

This incident serves as a reminder of the importance of prompt patching and robust security practices in maintaining the integrity of critical infrastructure components.

Posted in Cybersecurity

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*