Safety researchers have uncovered crucial vulnerabilities in VMware Instruments’ Visitor Authentication Service (VGAuth) that permit attackers to escalate privileges from any consumer account to full SYSTEM entry on Home windows digital machines.
The failings, tracked as CVE-2025-22230 and CVE-2025-22247, have an effect on VMware Instruments 12.5.0 and earlier variations throughout ESXi-managed environments and standalone VMware Workstation deployments.
Authentication Bypass
The first vulnerability stems from a basic flaw in VGAuth’s named pipe authentication mechanism.
The service creates predictable pipe names within the format .pipevgauth-service-
| CVE ID | CVSS Rating | Description | Patch Model | Launch Date |
| CVE-2025-22230 | Excessive | Authentication bypass through named pipe hijacking | VMware Instruments 12.5.1 | March 25, 2025 |
| CVE-2025-22247 | Important | Path traversal with insecure symlink decision | VMware Instruments 12.5.2 | Could 12, 2025 |
By establishing a pipe named vgauth-service-system earlier than the legit service, attackers can hijack authentication periods and impersonate the NT AUTHORITYSYSTEM account.
This grants rapid superuser privileges throughout the VGAuth protocol, bypassing all meant safety restrictions.
The second vulnerability exploits inadequate enter validation in alias retailer operations.
Attackers can inject path traversal sequences like ../../../../../../evil into username parameters, permitting them to interrupt out of the meant alias retailer listing and goal arbitrary system recordsdata.
Mixed with Home windows symlink manipulation methods, this creates highly effective assault primitives.
Researchers demonstrated two exploitation paths: arbitrary file deletion by the RemoveAlias operation and arbitrary file write by alias retailer rewriting.
Each methods leverage time-of-check/time-of-use (TOCTOU) assaults utilizing Opportunistic Locks to exactly time symlink goal switching.
The arbitrary file deletion functionality can goal crucial system directories like C:Config.Msi, enabling well-known Home windows Installer privilege escalation methods.
In the meantime, the file write primitive permits attackers to plant malicious DLLs in privileged areas with inherited permissive ACLs, facilitating DLL hijacking assaults for code execution as SYSTEM.
Broadcom has addressed each vulnerabilities by safety updates. CVE-2025-22230 was mitigated by randomizing pipe names and implementing correct first-instance flags.
CVE-2025-22247 obtained extra complete fixes, together with path validation, runtime path verification, and a brand new allowSymlinks configuration choice (disabled by default).
Organizations ought to instantly replace to VMware Instruments 12.5.2 or later variations.
The vulnerabilities have an effect on the default Home windows set up of VMware Instruments, making almost all Home windows digital machines in VMware environments doubtlessly exploitable by native customers searching for privilege escalation.
Given VGAuth’s widespread deployment and the severity of those flaws, directors ought to prioritize patching efforts to forestall potential system compromises by these well-documented assault vectors.
Get Free Final SOC Necessities Guidelines Earlier than you construct, purchase, or change your SOC for 2025 - Obtain Now
