Security scans against HCX Manager detect "/cgi-bin/test-cgi" with an HTTP 200 response, which is flagged as a potential vulnerability.

/cgi-bin/test-cgi
Running HTTPS service
Product HTTPD exists -- Apache HTTPD
HTTP GET request to https://<HCX-IP>/cgi-bin/test-cgi
HTTP response code was an expected 200

HCX

The CGI module is disabled in the Apache configuration. However, when a security scanner scans the cgi-bin directory, it still receives an HTTP 200 response because the directory exists. This results in an incorrect flagging of a potential threat or vulnerability. This is a false positive and does not indicate a security issue.

This issue is resolved in VMware HCX 4.11 available at  Broadcom Downloads

Workaround:

• Backup HCX Manager.
• Remove the folder /etc/httpd/cgi-bin from HCX Manager.