VMWare on Wednesday called urgent attention to a critical remote code execution flaw haunting users of its enterprise-facing HCX application mobility platform.

The vulnerability, tagged as CVE-2024-38814, carries a CVSS severity score of 8.8/10 and allows attackers with non-administrator privileges to execute remote code on the HCX manager.

“A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and perform unauthorized remote code execution on the HCX manager,” according to an advisory from the virtualization technology vendor.

VMware HCX is an application mobility platform designed to simplify application migration, workload rebalancing, and business continuity across data centers and clouds.

The Broadcom-owned company said the security defect impacts multiple versions of the VMware HCX platform, including versions 4.8.x, 4.9.x, and 4.10.x. 

VMware has published instructions on applying the available patches.

The company credited Sina Kheirkhah from SinSinology for reporting the bug through the ZDI bug bounty program.

Related: VMware Patches RCE Flaw Found in Chinese Hacking Contest

Related: Exploited Vulnerability Impacts 20k VMware ESXi Instances

Related: Microsoft Says Ransomware Gangs Exploiting VMware ESXi Flaw

Related: VMware Patches Critical SQL-Injection Flaw in Aria Automation