Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers

Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers

Two critical vulnerabilities in the VMware Guest Authentication Service (VGAuth) component of VMware Tools allow local attackers to escalate privileges from any user account to SYSTEM-level access on Windows virtual machines. 

The vulnerabilities, tracked as CVE-2025-22230 and CVE-2025-22247, affect VMware Tools installations across ESXi-managed environments and standalone VMware Workstation deployments.

Key Takeaways
1.  VMware Tools VGAuth lets local users become SYSTEM on Windows VMs
2. Named pipe hijacking and path traversal enable privilege escalation.
3. Update to VMware Tools 12.5.1+ now

Authentication Bypass Vulnerability

The first vulnerability, CVE-2025-22230, stems from a critical flaw in VGAuth’s named pipe implementation that enables authentication bypass through a pre-creation attack. 

Google News

PT SWARM reports that the VGAuth service creates user-specific private pipes using predictable naming conventions (.pipevgauth-service-) without the FILE_FLAG_FIRST_PIPE_INSTANCE flag, allowing low-privileged attackers to create malicious pipes before the service does.

Security researcher Sergey Bliznyuk demonstrated how attackers can exploit this by creating a named pipe at .pipevgauth-service-system with permissive access controls. 

When the service attempts to create the pipe for SYSTEM authentication, it unknowingly uses the attacker-controlled pipe, effectively granting superuser privileges within the VGAuth protocol. 

Once authenticated as SYSTEM, attackers gain access to certificate alias stores, ticket validation mechanisms, and SAML authentication tokens for privilege escalation.

Path Traversal Vulnerability

The second vulnerability, CVE-2025-22247, exploits insufficient input validation in the alias store management functions. 

The QueryAliases and RemoveAlias operations accept unsanitized username parameters, enabling path traversal attacks using sequences like “../../../../../../evil” to break out of the intended C:ProgramDataVMwareVMware VGAuthaliasStore directory.

Attackers can leverage symbolic link manipulation and time-of-check/time-of-use (TOCTOU) attacks to achieve arbitrary file deletion and write operations. 

By combining junction mount points with DOS device symlinks, and utilizing Opportunistic Locks for precise timing, attackers can redirect file operations to privileged system locations such as C:WindowsSystem32, enabling DLL hijacking for SYSTEM-level code execution.

CVE Title CVSS 3.1 Score Severity Affected Version Patched Version
CVE-2025-22230 Authentication bypass via named pipe hijacking 7.8 High VMware Tools 12.5.0 VMware Tools 12.5.1
CVE-2025-22247 Path traversal and insecure link resolution 6.1 Medium VMware Tools 12.5.0 VMware Tools 12.5.2

Patches Released 

Broadcom has addressed both vulnerabilities through coordinated security updates following responsible disclosure in early 2025. 

CVE-2025-22230 was patched in VMware Tools 12.5.1 released on March 25, 2025, implementing randomized private pipe names with UUID suffixes and enforcing the FILE_FLAG_FIRST_PIPE_INSTANCE flag to prevent hijacking attacks.

CVE-2025-22247 received remediation in VMware Tools 12.5.2 on May 12, 2025, introducing input validation to reject usernames containing unsafe path traversal characters, runtime path validation using GetFinalPathNameByHandleW, and a new allowSymlinks configuration flag defaulting to false. 

Organizations running VMware Tools in Windows guest environments should immediately upgrade to the latest version to mitigate these critical security risks.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now


Source link