A high-severity VMware Fusion 13.x bug that can let a bad actor with only standard user privileges execute arbitrary code in the Fusion application was patched Tuesday by Broadcom.
Security pros said it’s a significant vulnerability because of its ability to execute arbitrary code without requiring elevated privileges, potentially compromising the host system and any virtual machines running on it.
“The risk is amplified in development and testing environments where sensitive code or data may be exposed across multiple virtual instances,” said Stephen Kowski, Field CTO at SlashNext email security. “To mitigate such threats, organizations should implement robust endpoint detection and response systems, employ advanced email security measures to prevent initial compromise, and maintain a proactive patching strategy.”
VMware Fusion is used primarily by developers, IT professionals, and power users on macOS to run multiple operating systems concurrently. Kowski said he used it for many years to run Kali and Windows VMs.
Venky Raju, Field CTO at ColorTokens, added that while primarily used by students and developers, VMware Fusion also gets used in environments where application software is available only on legacy operating systems and is run inside a virtual machine on a modern host. Raju said examples include running MS-DOS and Windows 98-based applications inside a virtual machine on Windows 10.
“Developers also use virtualization solutions, and the risk here is that if the virtual machine OS is being used for development, it may contain SSH keys and API credentials that hackers could attempt to steal,” said Raju.
The vulnerability — CVE-2024-38811 — was reported to VMware by Mykola Grymalyuk of RIPEDA Consulting.