Critical Authentication Bypass Vulnerability CVE-2025-22230 Impacts VMware Tools for Windows

TL;DR

Broadcom has addressed a high-severity authentication bypass vulnerability, CVE-2025-22230, in VMware Tools for Windows. This flaw, with a CVSS score of 9.8, allows low-privileged attackers to escalate privileges on vulnerable VMs. The issue has been patched in VMware Tools 12.5.1.

Critical Authentication Bypass Vulnerability in VMware Tools for Windows

Broadcom recently released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows. This suite of utilities enhances the performance and usability of virtual machines (VMs) running on VMware hypervisors such as VMware Workstation, Fusion, and vSphere (ESXi).

Vulnerability Details

The vulnerability is due to improper access control, allowing low-privileged local attackers to exploit this flaw without user interaction. This can result in privilege escalation on vulnerable VMs. According to the advisory, “A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM”¹.

Discovery and Impact

Sergey Bliznyuk of Positive Technologies reported the vulnerability to Broadcom. The issue affects VMware Tools versions 12.x.x and 11.x.x for Windows, Linux, and macOS. Broadcom has released VMware Tools 12.5.1 to address this flaw but has not disclosed whether the vulnerability is being actively exploited in the wild.

Recent Security Updates

In early March, Broadcom released security updates to address three actively exploited zero-day vulnerabilities in VMware ESX products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Broadcom confirmed that these vulnerabilities have been exploited in the wild².

Broadcom’s Statement

Broadcom’s advisory states, “On March 4, 2025, Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine”³. The company has information suggesting that exploitation of these issues has occurred in the wild, confirming that this is a “VM Escape” situation where an attacker with compromised VM’s guest OS could move into the hypervisor itself⁴.

Conclusion

The authentication bypass vulnerability CVE-2025-22230 in VMware Tools for Windows highlights the importance of timely security updates. Organizations using VMware products should prioritize applying the latest patches to mitigate potential risks. Staying vigilant and proactive in addressing such vulnerabilities is crucial for maintaining a secure IT environment.

Additional Resources

For further insights, check:

• Broadcom Security Advisory
• VMware Security Advisory

References

1. Broadcom (2025). “VMware Tools for Windows contains an authentication bypass vulnerability”. Broadcom Support. Retrieved 2025-03-26. ↩︎

2. Security Affairs (2025). “VMware fixed three actively exploited zero-days in ESX products”. Security Affairs. Retrieved 2025-03-26. ↩︎

3. VMware (2025). “VMSA-2025-0004”. VMware Security Advisories. Retrieved 2025-03-26. ↩︎

4. VMware (2025). “VMSA-2025-0004”. VMware Security Advisories. Retrieved 2025-03-26. ↩︎