CVE-2024-38814
Published: 16 October 2024
Summary
CVE-2024-38814 is a high-severity SQL Injection (CWE-89) vulnerability in Vmware Vmware Hcx. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-38814 is an authenticated SQL injection vulnerability, tracked under CWE-89, that affects VMware HCX. A malicious authenticated user with non-administrator privileges can supply specially crafted SQL queries to the HCX manager, enabling unauthorized remote code execution.
An attacker who already possesses valid low-privileged credentials on the affected system can exploit the flaw over the network without user interaction. Successful exploitation yields full control over the HCX manager, including the ability to read, modify, or delete data and execute arbitrary code with high impact to confidentiality, integrity, and availability, as reflected in the CVSS 8.8 score.
The Broadcom security advisory at the referenced URL states that updates are available to remediate the issue in affected VMware HCX products. The EPSS score has reached a peak of 0.2797 with a current value of 0.2504, indicating moderate and relatively stable exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37637
Vulnerability details
An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. Updates…
more
are available to remediate this vulnerability in affected VMware products.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.