Broadcom has issued critical security updates to remediate an authentication bypass vulnerability in VMware Tools for Windows. The flaw, labelled CVE-2025-22230, arises from improper access control mechanisms within the software. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability is significant as it enables attackers with minimal privileges to perform high-privilege operations within affected virtual machines without requiring user interaction.
VMware Tools is an integral suite of drivers and utilities designed to optimise performance and integration for guest operating systems running on VMware’s virtual infrastructure. These tools are widely deployed in enterprise environments, where they play a crucial role in ensuring seamless operation and management of virtual machines. However, vulnerabilities like CVE-2025-22230 pose serious risks, as they can potentially facilitate unauthorised access and manipulation of sensitive data and systems.
“A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM,” reads the security advisory published by VMware. This specific vulnerability underscores the broader security challenges faced by enterprises relying on virtualisation technologies for operational efficiency.
Recent zero-day vulnerabilities
The release of this update follows Broadcom’s earlier efforts this month to address three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, which were being actively exploited. Reported by the Microsoft Threat Intelligence Center, these vulnerabilities affected several VMware products, including ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Attackers leveraging these vulnerabilities could potentially bypass the sandbox environment designed to protect virtual machines from unauthorized access.
The urgency of applying these patches is underscored by findings from Shadowserver, a threat monitoring platform that identified more than 37,000 internet-exposed VMware ESXi instances vulnerable to attacks exploiting one of these zero-days. Such widespread exposure highlights the critical need for organisations to maintain up-to-date security measures.
VMware’s infrastructure products have historically been attractive targets for cybercriminals due to their integral role in managing enterprise data and operations. In November 2024, warnings were issued about exploits targeting VMware vCenter Server vulnerabilities, including a privilege escalation flaw (CVE-2024-38813) and a critical remote code execution issue (CVE-2024-38812). These incidents reflect the persistent threats faced by virtualisation technologies in today’s cybersecurity landscape.
To mitigate risks associated with CVE-2025-22230, VMware has assigned it a CVSSv3 base score of 7.8, indicating its high severity level. Users are being strongly encouraged to apply the latest patches as there are no available workarounds for this vulnerability at present. The rapid dissemination of updates is crucial for protecting sensitive data against potential exploitation by malicious actors.
Ransomware groups and state-sponsored hackers frequently target VMware vulnerabilities due to their extensive deployment in enterprise settings. The ability to exploit such vulnerabilities could have far-reaching implications for organisations’ data security and operational integrity. Therefore, timely patch management remains an essential aspect of a robust cybersecurity strategy aimed at safeguarding virtual environments against evolving threats.
Read more: Ransomware groups exploit BioNTdrv.sys flaws to gain SYSTEM privileges on Windows
