Broadcom has taken significant steps to address a critical authentication bypass vulnerability, identified as CVE-2025-22230, which affects VMware Tools for Windows. This vulnerability, rated with a CVSS score of 9.8, poses a serious risk to users of VMware’s suite of utilities designed to enhance the performance and usability of virtual machines (VMs) operating on VMware hypervisors, including VMware Workstation, Fusion, and vSphere (ESXi).
The root of the issue lies in improper access control, allowing low-privileged local attackers to exploit the vulnerability with minimal effort and without requiring user interaction. This could enable them to escalate their privileges within vulnerable VMs, potentially leading to unauthorized access and control.
According to the advisory, “VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM.” The vulnerability was reported to VMware by Sergey Bliznyuk of Positive Technologies.
This flaw affects VMware Tools versions 12.x.x and 11.x.x across Windows, Linux, and macOS platforms. Fortunately, VMware Tools version 12.5.1 has been released to rectify this issue. However, VMware has not disclosed whether this vulnerability is currently being exploited in active attacks.
Earlier in March, Broadcom also issued security updates to address three zero-day vulnerabilities in VMware ESX products, which were confirmed to be actively exploited. These vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact a range of VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
Broadcom has indicated that there is evidence suggesting these vulnerabilities have indeed been exploited in real-world scenarios. In a statement, the company noted, “On March 4, 2025, Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine.” The advisory further confirmed that the vulnerabilities represent a “VM Escape” scenario, where an attacker who has compromised a virtual machine’s guest operating system may gain privileged access to the hypervisor itself.
