Pierluigi Paganini March 26, 2025

Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230, in VMware Tools for Windows.

Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.

VMware Tools for Windows is a suite of utilities that enhances the performance and usability of virtual machines (VMs) running on VMware hypervisors like VMware Workstation, Fusion, and vSphere (ESXi).

The vulnerability is due to improper access control.

Low-privileged local attackers can exploit this vulnerability in simple attacks without user interaction to escalate privileges on vulnerable VMs.

“VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control.” reads the advisory. “A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM.”

Sergey Bliznyuk of Positive Technologies reported the vulnerability to the virtualization giant.

The vulnerability impacts VMware Tools versions 12.x.x, 11.x.x for Windows, Linux, and macOS. VMware Tools 12.5.1 addressed this flaw. The company did not reveal if the flaw is actively exploited in attacks in the wild.

In early March, Broadcom released security updates to address three VMware zero-day vulnerabilities in ESX products that are actively exploited in the wild.

The flaws, respectively tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.

The virtualization giant confirmed that it has information to suggest that exploitation of the three flaws has occurred in the wild.

“On March 4, 2025 Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine” states the company. “Are the vulnerabilities being exploited “in the wild?” Broadcom has information to suggest that exploitation of these issues has occurred “in the wild.” “Is this a “VM Escape?” “Yes. This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware)