---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies    
title: 'High Severity Vulnerability in VMware Fusion for MacOS'
number: '2024-091'
version: '1.0'
original_date: '2024-09-03'
date: '2024-09-04'
---

_History:_

* _04/09/2024 --- v1.0 -- Initial publication_

# Summary

On September 3, 2024, Broadcom disclosed a high-severity vulnerability in VMware Fusion, which could allow attackers to execute arbitrary code on macOS systems [1].

# Technical Details

The vulnerability **CVE-2024-38811**, with a CVSS score of 8.8, arises from improper handling of environment variables, allowing malicious actors with standard user privileges to execute arbitrary code within the VMware Fusion environment. This may lead to full-system compromise, potentially exposing sensitive data and disrupting operations.

# Affected Products

- VMware Fusion versions prior to 13.6, running on macOS.

# Recommendations

CERT-EU recommends to immediately update VMware Fusion to a fixed version.

# References

[1] <https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939>