In a crucial advisory for users of VMware Tools for Windows, Broadcom has emphasized the importance of updating to the latest version due to a high-severity vulnerability that is currently being exploited by cybercriminals. Following its acquisition of VMware for billion in 2023, Broadcom has taken swift action to address this issue, which affects versions 11.x.x and 12.x.x of VMware Tools for Windows. The vulnerability has been effectively patched in version 12.5.1, and users are urged to update immediately, as no workarounds are available.
What are the details about this authentication bypass vulnerability?
VMware Tools for Windows is an essential suite of utilities designed to enhance the performance and functionality of Windows-based virtual machines operating on VMware platforms. This suite supports a range of features, including improved display resolution, seamless integration of mouse and keyboard inputs, and enhanced time synchronization between host and guest systems.
According to Broadcom’s security advisory, the vulnerability, identified as CVE-2025-22230, is classified as an “authentication bypass vulnerability.” While specific technical details remain sparse, it has been suggested that the flaw arises from inadequate access control mechanisms present in certain versions of VMware Tools for Windows. Broadcom stated, “A malicious actor with non-administrative privileges on a Windows guest (virtual machine) may gain the ability to perform certain high-privilege operations within that VM.”
With a CVSS score of 7.8 out of 10, this vulnerability is deemed high-severity and notably does not require user interaction for exploitation. The discovery of this vulnerability was credited to Sergey Bliznyuk of Positive Technologies, a Russian cybersecurity firm that has faced sanctions from the U.S. Treasury since 2021 for allegedly providing security tools to Russian intelligence services.
This incident follows a series of zero-day vulnerabilities that have affected VMware ESXi, Workstation, and Fusion, which previously required attackers to possess administrator or root access to a virtual machine. If such access was obtained, attackers could potentially escape the virtual machine’s sandbox and compromise the underlying hypervisor, thereby exposing all connected virtual machines and sensitive data. At one point, nearly 41,500 VMware ESXi instances were identified as vulnerable due to CVE-2025-22224.
Last year, VMware ESXi servers experienced a significant breach involving a double-extortion ransomware variant, where threat actors impersonated a legitimate organization. The widespread use of VMware in enterprise environments makes it an attractive target for hackers. Compromising the hypervisor not only allows attackers to disable multiple virtual machines simultaneously but also enables them to eliminate recovery options such as snapshots or backups, leading to substantial disruptions in business operations.
