Cyber Resilience

CVE-2024-38814

High

Published: 16 October 2024

Published
16 October 2024
Modified
21 October 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2504 96.3th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38814 is a high-severity SQL Injection (CWE-89) vulnerability in Vmware Vmware Hcx. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-38814 is an authenticated SQL injection vulnerability, tracked under CWE-89, that affects VMware HCX. A malicious authenticated user with non-administrator privileges can supply specially crafted SQL queries to the HCX manager, enabling unauthorized remote code execution.

An attacker who already possesses valid low-privileged credentials on the affected system can exploit the flaw over the network without user interaction. Successful exploitation yields full control over the HCX manager, including the ability to read, modify, or delete data and execute arbitrary code with high impact to confidentiality, integrity, and availability, as reflected in the CVSS 8.8 score.

The Broadcom security advisory at the referenced URL states that updates are available to remediate the issue in affected VMware HCX products. The EPSS score has reached a peak of 0.2797 with a current value of 0.2504, indicating moderate and relatively stable exploitation probability since disclosure.

EU & UK References

Vulnerability details

An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager. Updates…

more

are available to remediate this vulnerability in affected VMware products.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
vmware hcx
4.10.0 · 4.8.0 — 4.8.2 · 4.9.0 — 4.9.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References