Critical VGAuth Flaw in VMware Tools Grants Full System Access

Security researchers have uncovered critical vulnerabilities in VMware Tools’ Guest Authentication Service (VGAuth) that allow attackers to escalate privileges from any user account to full SYSTEM access on Windows virtual machines.

The flaws, tracked as CVE-2025-22230 and CVE-2025-22247, affect VMware Tools 12.5.0 and earlier versions across ESXi-managed environments and standalone VMware Workstation deployments.

Authentication Bypass

The primary vulnerability stems from a fundamental flaw in VGAuth’s named pipe authentication mechanism.

The service creates predictable pipe names in the format \.pipevgauth-service- without using the FILE_FLAG_FIRST_PIPE_INSTANCE flag, enabling attackers to pre-create these pipes with permissive access controls.

By establishing a pipe named vgauth-service-system before the legitimate service, attackers can hijack authentication sessions and impersonate the NT AUTHORITYSYSTEM account.

This grants immediate superuser privileges within the VGAuth protocol, bypassing all intended security restrictions.

The second vulnerability exploits insufficient input validation in alias store operations.

Attackers can inject path traversal sequences like ../../../../../../evil into username parameters, allowing them to break out of the intended alias store directory and target arbitrary system files.

Combined with Windows symlink manipulation techniques, this creates powerful attack primitives.

Researchers demonstrated two exploitation paths: arbitrary file deletion through the RemoveAlias operation and arbitrary file write through alias store rewriting.

Both techniques leverage time-of-check/time-of-use (TOCTOU) attacks using Opportunistic Locks to precisely time symlink target switching.

The arbitrary file deletion capability can target critical system directories like C:Config.Msi, enabling well-known Windows Installer privilege escalation techniques.

Meanwhile, the file write primitive allows attackers to plant malicious DLLs in privileged locations with inherited permissive ACLs, facilitating DLL hijacking attacks for code execution as SYSTEM.

Broadcom has addressed both vulnerabilities through security updates. CVE-2025-22230 was mitigated by randomizing pipe names and implementing proper first-instance flags.

CVE-2025-22247 received more comprehensive fixes, including path validation, runtime path verification, and a new allowSymlinks configuration option (disabled by default).

Organizations should immediately update to VMware Tools 12.5.2 or later versions.

The vulnerabilities affect the default Windows installation of VMware Tools, making nearly all Windows virtual machines in VMware environments potentially exploitable by local users seeking privilege escalation.

Given VGAuth’s widespread deployment and the severity of these flaws, administrators should prioritize patching efforts to prevent potential system compromises through these well-documented attack vectors.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now