Advertisement

VMWare releases Fusion vulnerability with 8.8 rating

The company issued a patch for the high-severity bug that allows arbitrary code execution.
The logo of American cloud computing and virtualization technology company VMware. (Photo by Josep LAGO / AFP) (Photo by JOSEP LAGO/AFP via Getty Images)

A critical vulnerability in VMWare Fusion that allows code execution in the program with standard user privileges was released last Wednesday, according to Broadcom.

The security advisory is for version 13.x until 13.6 on the popular virtualization software for macOS. The bug — CVE-2024-38811 — has a CVSSv3 base score of 8.8 and is caused by an insecure environment variable. Mykola Grymalyuk of RIPEDA Consulting reported the vulnerability and VMWare has issued a patched version of the software.

The vulnerability allows a user with standard privileges to execute code within the Fusion application.

Ransomware actors have long used VMWare products for initial access and further digital extortion. The new ransomware variant Cicada3301 is known to use a vulnerability in VMWare ESXi systems. 

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

Latest Podcasts