A team of cybersecurity researchers has uncovered serious vulnerabilities in VMware Tools that could allow attackers to gain elevated privileges on Windows virtual machines, potentially compromising entire virtualized environments across enterprise networks.
Discovery and Impact
Sergey Bliznyuk, a penetration tester at PT Security, published detailed findings on July 22, 2025, revealing multiple security flaws in the VMware Guest Authentication Service (VGAuth) component of VMware Tools version 12.5.0.
The vulnerabilities affect both Windows and Linux guest systems running in VMware-managed environments, including popular platforms like VMware Workstation and ESXi.
The VGAuth service, which facilitates secure communication between host and guest operating systems, contains critical weaknesses that enable local privilege escalation attacks.
These vulnerabilities could allow malicious users with basic system access to gain administrative or SYSTEM-level privileges, effectively taking complete control of affected virtual machines.
Technical Vulnerabilities Explained
The research identified two primary attack vectors.
The first involves a named pipe pre-creation attack where attackers can impersonate system-level sessions by creating predictable pipe names before the service does.
This authentication bypass, designated CVE-2025-22230, exploits the service’s failure to use proper pipe creation flags and predictable naming conventions.
The second vulnerability, CVE-2025-22247, centers on path traversal and insecure symbolic link handling.
Attackers can manipulate the service’s alias store management functionality to perform arbitrary file operations with elevated privileges.
This includes both file deletion and file creation capabilities, which can be weaponized for various privilege escalation techniques.
Bliznyuk demonstrated how these vulnerabilities can be chained together to achieve reliable local privilege escalation.
The attack methodology involves creating symbolic links, exploiting race conditions through opportunistic locks, and manipulating the service’s file handling routines to write malicious files to privileged system directories.
Vendor Response and Remediation
Broadcom, which acquired VMware, responded promptly to the responsible disclosure.
The company released patches addressing both vulnerabilities through a coordinated timeline.
CVE-2025-22230 was resolved in VMware Tools version 12.5.,1 released on March 25, 2025, while CVE-2025-22247 received fixes in version 12.5.2 on May 12, 2025.
The patches implement several security improvements including randomized pipe naming with UUID components, proper pipe creation flags, path traversal prevention through character filtering, and runtime path validation using Windows APIs.
Additionally, a new configuration flag allows administrators to control symbolic link handling behavior.
Recommendations for Users
Organizations running VMware Tools in Windows guest environments should immediately upgrade to the latest version to mitigate these security risks.
System administrators should prioritize patching virtualized infrastructure, particularly in environments where multiple users have access to guest systems or where sensitive data processing occurs within virtual machines.
The discovery highlights the importance of comprehensive security testing across virtualization stack components, as these systems often serve as critical infrastructure foundations for modern enterprise computing environments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=A team of cybersecurity researchers has uncovered serious vulnerabilities in VMware Tools that could allow attackers to gain elevated privileges on Windows virtual machines){kind=link}