VMware fixes high-severity code execution flaw in VMware Fusion
Take action: While an attacker needs valid credentials to exploit the flaw, it's not impossible to get them - usually through phishing or endpoint malware. So advise all admins and users of the Fusion system to be very mindful of phishing and programs they run on their computers, then plan to patch your VMware Fusion.
Learn More
VMware has released a security update for its Fusion hypervisor to address a high-severity vulnerability.
The flaw is tracked as CVE-2024-38811 (CVSS score: 8.8) and arises from the use of an insecure environment variable in VMware Fusion, which could be exploited by a malicious actor with standard user privileges to execute arbitrary code within the context of the Fusion application. Successful exploitation could potentially lead to a complete system compromise.
VMware advises all users to update their Fusion instances to version 13.6 immediately, as no workarounds are available for this vulnerability. While VMware has not indicated that the flaw is being actively exploited in the wild, prompt updating is recommended to prevent potential risks.
The latest release of VMware Fusion also includes an update to OpenSSL version 3.0.14, which addresses three vulnerabilities that could lead to denial-of-service (DoS) conditions or significantly degrade the application's performance.
