TLDR:
Key Points:
- VMware Fusion has a vulnerability (CVE-2024-38811) that allows attackers to execute malicious code.
- The vulnerability affects VMware Fusion 13.x versions running on MacOS.
VMware has issued a security advisory to address a significant vulnerability in its VMware Fusion product that could allow attackers to execute malicious code. This vulnerability, identified as CVE-2024-38811, stems from the application’s use of an insecure environment variable. With a CVSSv3 score of 8.8, it is classified as important. The flaw allows a malicious actor with standard user privileges to execute arbitrary code within the Fusion application’s context. Users are advised to upgrade to the fixed version specified in VMware’s response matrix, which lists VMware Fusion 13.6 as the patched version. VMware has credited Mykola Grymalyuk of RIPEDA Consulting for responsibly reporting the issue. Organizations are urged to apply the update immediately to mitigate the risk of exploitation as there are no known specific exploits in circulation for CVE-2024-38811.