Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers
Two critical vulnerabilities in the VMware Guest Authentication Service (VGAuth) component of VMware Tools allow local attackers to escalate privileges from any user account to SYSTEM-level access on Windows virtual machines.
The vulnerabilities, tracked as CVE-2025-22230 and CVE-2025-22247, affect VMware Tools installations across ESXi-managed environments and standalone VMware Workstation deployments.
Key Takeaways
1. VMware Tools VGAuth lets local users become SYSTEM on Windows VMs
2. Named pipe hijacking and path traversal enable privilege escalation.
3. Update to VMware Tools 12.5.1+ now
Authentication Bypass Vulnerability
The first vulnerability, CVE-2025-22230, stems from a critical flaw in VGAuth’s named pipe implementation that enables authentication bypass through a pre-creation attack.
PT SWARM reports that the VGAuth service creates user-specific private pipes using predictable naming conventions (.pipevgauth-service-
Security researcher Sergey Bliznyuk demonstrated how attackers can exploit this by creating a named pipe at .pipevgauth-service-system with permissive access controls.
When the service attempts to create the pipe for SYSTEM authentication, it unknowingly uses the attacker-controlled pipe, effectively granting superuser privileges within the VGAuth protocol.
Once authenticated as SYSTEM, attackers gain access to certificate alias stores, ticket validation mechanisms, and SAML authentication tokens for privilege escalation.
Path Traversal Vulnerability
The second vulnerability, CVE-2025-22247, exploits insufficient input validation in the alias store management functions.
The QueryAliases and RemoveAlias operations accept unsanitized username parameters, enabling path traversal attacks using sequences like “../../../../../../evil” to break out of the intended C:ProgramDataVMwareVMware VGAuthaliasStore directory.
Attackers can leverage symbolic link manipulation and time-of-check/time-of-use (TOCTOU) attacks to achieve arbitrary file deletion and write operations.
By combining junction mount points with DOS device symlinks, and utilizing Opportunistic Locks for precise timing, attackers can redirect file operations to privileged system locations such as C:WindowsSystem32, enabling DLL hijacking for SYSTEM-level code execution.
CVE | Title | CVSS 3.1 Score | Severity | Affected Version | Patched Version |
CVE-2025-22230 | Authentication bypass via named pipe hijacking | 7.8 | High | VMware Tools 12.5.0 | VMware Tools 12.5.1 |
CVE-2025-22247 | Path traversal and insecure link resolution | 6.1 | Medium | VMware Tools 12.5.0 | VMware Tools 12.5.2 |
Patches Released
Broadcom has addressed both vulnerabilities through coordinated security updates following responsible disclosure in early 2025.
CVE-2025-22230 was patched in VMware Tools 12.5.1 released on March 25, 2025, implementing randomized private pipe names with UUID suffixes and enforcing the FILE_FLAG_FIRST_PIPE_INSTANCE flag to prevent hijacking attacks.
CVE-2025-22247 received remediation in VMware Tools 12.5.2 on May 12, 2025, introducing input validation to reject usernames containing unsafe path traversal characters, runtime path validation using GetFinalPathNameByHandleW, and a new allowSymlinks configuration flag defaulting to false.
Organizations running VMware Tools in Windows guest environments should immediately upgrade to the latest version to mitigate these critical security risks.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
Source link