If you use VMware Tools for Windows, it is critical to update to the latest version. Broadcom, which acquired VMware for $69 billion in 2023, has issued a patch for a high-severity vulnerability that is actively being exploited by cybercriminals.
The vulnerability affects VMware Tools for Windows versions 11.x.x and 12.x.x, but has been patched in version 12.5.1. Broadcom confirmed that no workarounds are available, so affected users should update immediately.
What are the details about this authentication bypass vulnerability?
VMware Tools for Windows is a suite of utilities that enhances the performance and functionality of Windows-based virtual machines running on VMware platforms. It supports functions like display resolution, seamless mouse and keyboard integration, and better time synchronization between host and guest systems.
CVE-2025-22230 is classified as an “authentication bypass vulnerability,” according to Broadcom’s security advisory. While technical details remain limited, Broadcom suggests that the flaw results from improper access control mechanisms in some versions of VMware Tools for Windows.
“A malicious actor with non-administrative privileges on a Windows guest (virtual machine) may gain (the) ability to perform certain high-privilege operations within that VM,” the company said.
The vulnerability has a CVSS score of 7.8 out of 10, indicating a high-severity issue. It does not require user interaction for exploitation.
The vulnerability was reported by Sergey Bliznyuk of Positive Technologies, a Russian cybersecurity firm sanctioned by the U.S. Treasury in 2021 for allegedly providing security tools to and hosting recruitment events for Russian intelligence services.
VMware vulnerabilities are oft-targeted
Earlier this month, Broadcom patched three actively exploited zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion. These required attackers to have administrator or root access to a virtual machine, but if they did, they could escape its sandbox and breach the underlying hypervisor, potentially exposing all connected virtual machines and sensitive data. At the time, nearly 41,500 VMWare ESXi instances were identified as vulnerable due to CVE-2025-22224.
Last year, VMware ESXi servers were hit by a double-extortion ransomware variant, with the threat actors impersonating a real organization. Hackers like to target VMware as it is widely used in enterprise. Furthermore, compromising the hypervisor can allow attackers to disable multiple virtual machines simultaneously and remove recovery options such as snapshots or backups, ensuring a significant impact on a business’s operations.
