Two important vulnerabilities within the VMware Visitor Authentication Service (VGAuth) part of VMware Instruments permit native attackers to escalate privileges from any person account to SYSTEM-level entry on Home windows digital machines.
The vulnerabilities, tracked as CVE-2025-22230 and CVE-2025-22247, have an effect on VMware Instruments installations throughout ESXi-managed environments and standalone VMware Workstation deployments.
Key Takeaways1. VMware Instruments VGAuth lets native customers turn into SYSTEM on Home windows VMs2. Named pipe hijacking and path traversal allow privilege escalation.3. Replace to VMware Instruments 12.5.1+ now
Authentication Bypass Vulnerability
The primary vulnerability, CVE-2025-22230, stems from a important flaw in VGAuth’s named pipe implementation that allows authentication bypass by way of a pre-creation assault.
PT SWARM experiences that the VGAuth service creates user-specific personal pipes utilizing predictable naming conventions (.pipevgauth-service-) with out the FILE_FLAG_FIRST_PIPE_INSTANCE flag, permitting low-privileged attackers to create malicious pipes earlier than the service does.
Safety researcher Sergey Bliznyuk demonstrated how attackers can exploit this by making a named pipe at .pipevgauth-service-system with permissive entry controls.
When the service makes an attempt to create the pipe for SYSTEM authentication, it unknowingly makes use of the attacker-controlled pipe, successfully granting superuser privileges inside the VGAuth protocol.
As soon as authenticated as SYSTEM, attackers achieve entry to certificates alias shops, ticket validation mechanisms, and SAML authentication tokens for privilege escalation.
Path Traversal Vulnerability
The second vulnerability, CVE-2025-22247, exploits inadequate enter validation within the alias retailer administration features.
The QueryAliases and RemoveAlias operations settle for unsanitized username parameters, enabling path traversal assaults utilizing sequences like “../../../../../../evil” to interrupt out of the meant C:ProgramDataVMwareVMware VGAuthaliasStore listing.
Attackers can leverage symbolic hyperlink manipulation and time-of-check/time-of-use (TOCTOU) assaults to realize arbitrary file deletion and write operations.
By combining junction mount factors with DOS gadget symlinks, and using Opportunistic Locks for exact timing, attackers can redirect file operations to privileged system areas reminiscent of C:WindowsSystem32, enabling DLL hijacking for SYSTEM-level code execution.
CVETitleCVSS 3.1 ScoreSeverityAffected VersionPatched VersionCVE-2025-22230Authentication bypass by way of named pipe hijacking7.8HighVMware Instruments 12.5.0VMware Instruments 12.5.1CVE-2025-22247Path traversal and insecure hyperlink resolution6.1MediumVMware Instruments 12.5.0VMware Instruments 12.5.2
Patches Launched
Broadcom has addressed each vulnerabilities by way of coordinated safety updates following accountable disclosure in early 2025.
CVE-2025-22230 was patched in VMware Instruments 12.5.1 launched on March 25, 2025, implementing randomized personal pipe names with UUID suffixes and implementing the FILE_FLAG_FIRST_PIPE_INSTANCE flag to forestall hijacking assaults.
CVE-2025-22247 obtained remediation in VMware Instruments 12.5.2 on Could 12, 2025, introducing enter validation to reject usernames containing unsafe path traversal characters, runtime path validation utilizing GetFinalPathNameByHandleW, and a brand new allowSymlinks configuration flag defaulting to false.
Organizations operating VMware Instruments in Home windows visitor environments ought to instantly improve to the newest model to mitigate these important safety dangers.
Expertise sooner, extra correct phishing detection and enhanced safety for your small business with real-time sandbox analysis-> Strive ANY.RUN now
