CyberSecurityBoard
Sponsor Register Login

Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers

Two critical vulnerabilities in the VMware Guest Authentication Service (VGAuth) component of VMware Tools allow local attackers to escalate privileges from any user account to SYSTEM-level access on Windows virtual machines. CVE-2025-22247 received remediation in VMware Tools 12.5.2 on May 12, 2025, introducing input validation to reject usernames containing unsafe path traversal characters, runtime path validation using GetFinalPathNameByHandleW, and a new allowSymlinks configuration flag defaulting to false. CVE-2025-22230 was patched in VMware Tools 12.5.1 released on March 25, 2025, implementing randomized private pipe names with UUID suffixes and enforcing the FILE_FLAG_FIRST_PIPE_INSTANCE flag to prevent hijacking attacks. PT SWARM reports that the VGAuth service creates user-specific private pipes using predictable naming conventions (\.\pipe\vgauth-service-<username>) without the FILE_FLAG_FIRST_PIPE_INSTANCE flag, allowing low-privileged attackers to create malicious pipes before the service does. By combining junction mount points with DOS device symlinks, and utilizing Opportunistic Locks for precise timing, attackers can redirect file operations to privileged system locations such as C:\Windows\System32, enabling DLL hijacking for SYSTEM-level code execution. Once authenticated as SYSTEM, attackers gain access to certificate alias stores, ticket validation mechanisms, and SAML authentication tokens for privilege escalation. The QueryAliases and RemoveAlias operations accept unsanitized username parameters, enabling path traversal attacks using sequences like “../../../../../../evil” to break out of the intended C:\ProgramData\VMware\VMware VGAuth\aliasStore directory. When the service attempts to create the pipe for SYSTEM authentication, it unknowingly uses the attacker-controlled pipe, effectively granting superuser privileges within the VGAuth protocol. The vulnerabilities, tracked as CVE-2025-22230 and CVE-2025-22247, affect VMware Tools installations across ESXi-managed environments and standalone VMware Workstation deployments. Security researcher Sergey Bliznyuk demonstrated how attackers can exploit this by creating a named pipe at \.\pipe\vgauth-service-system with permissive access controls.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 13:20:18 +0000


Cyber News related to Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers

Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers - Two critical vulnerabilities in the VMware Guest Authentication Service (VGAuth) component of VMware Tools allow local attackers to escalate privileges from any user account to SYSTEM-level access on Windows virtual machines. CVE-2025-22247 received ...
17 hours ago Cybersecuritynews.com CVE-2025-22247
VMware Tools for Windows Vulnerability Let Attackers Bypass Authentication - According to the security advisory VMSA-2025-0005, the authentication bypass vulnerability stems from improper access control in the VMware Tools for Windows utilities suite. In response to this vulnerability, cybersecurity experts recommend that ...
4 months ago Cybersecuritynews.com CVE-2025-22230
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
8 Tips on Leveraging AI Tools Without Compromising Security - Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. How can companies employ these powerful AI/ML tools without ...
1 year ago Darkreading.com
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
CVE-2025-41233 - Description: ...
1 month ago
VMware fixes critical code execution flaw in vCenter Server - VMware issued security updates to fix a critical vCenter Server vulnerability that can be exploited to gain remote code execution attacks on vulnerable servers. vCenter Server is the central management hub for VMware's vSphere suite, and it helps ...
1 year ago Bleepingcomputer.com CVE-2023-34048 CVE-2023-34056
VMware urges admins to remove deprecated, vulnerable auth plug-in - VMware urged admins today to remove a discontinued authentication plugin exposed to authentication relay and session hijack attacks in Windows domain environments via two security vulnerabilities left unpatched. The vulnerable VMware Enhanced ...
1 year ago Bleepingcomputer.com CVE-2024-22245 CVE-2024-22250
Broadcom warns of authentication bypass in VMware Windows Tools - For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China's ...
4 months ago Bleepingcomputer.com CVE-2024-38813
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
1 year ago Bleepingcomputer.com CVE-2023-34051
Russians break into Microsoft as Chinese hit VMware users The Register - A VMware security vulnerability has been exploited by Chinese cyberspies since late 2021, according to Mandiant, in what has been a busy week for nation-state espionage news. On Friday VMware confirmed CVE-2023-34048, a critical out-of-bounds write ...
1 year ago Go.theregister.com CVE-2023-34048 Hunters
Top 30 Best Penetration Testing Tools - 2025 - The tool supports various protocols and offers advanced filtering and analysis capabilities, making it ideal for diagnosing network issues, investigating security incidents, and understanding complex network interactions during penetration testing. ...
3 months ago Cybersecuritynews.com
Chinese Spies Exploited Critical VMware Bug for Nearly 2 Years - One of the most serious VMware vulnerabilities in recent memory was secretly being exploited by a Chinese advanced persistent threat for years before a patch became available. In a sign of just how severe this particular issue was, VMware went so far ...
1 year ago Darkreading.com CVE-2023-34048 CVE-2023-20867
Chinese threat group exploited VMware vulnerability in 2021 - A critical VMware vulnerability that was patched in October was exploited in the wild two years ago by a China-nexus threat actor, according to new research from Mandiant. On Oct. 25, VMware first disclosed an out-of-bounds write vulnerability ...
1 year ago Techtarget.com CVE-2023-34048 CVE-2023-34056 CVE-2023-20867
VMware ESXi and Workstation Vulnerabilities Let Attackers Execute Malicious Code on Host - Multiple severe vulnerabilities have been addressed affecting VMware ESXi, Workstation, Fusion, and Tools that could allow attackers to execute malicious code on host systems. However, on VMware Workstation and Fusion desktop platforms, successful ...
1 week ago Cybersecuritynews.com
The Dangers of Remote Management & Monitoring Tools for Cybersecurity - Remote monitoring and management (RMM) tools are used by business organizations to manage and monitor their enterprise IT infrastructure from a central location. However, the increasing sophistication of hackers and cybercriminals has caused both ...
2 years ago Csoonline.com
VMware Tools Vulnerability Let Attackers Tamper Files to Trigger Malicious Operations - This latest security issue follows several other VMware vulnerabilities addressed earlier this year, including a critical TOCTOU vulnerability (CVE-2025-22224) affecting VMware ESXi and Workstation that could lead to out-of-bounds write and potential ...
2 months ago Cybersecuritynews.com CVE-2025-22224
7 Best Vulnerability Scanning Tools & Software - Vulnerability scanning tools scan assets to identify missing patches, misconfigurations, exposed application vulnerabilities, and other security issues to be remediated. To help you select the best fitting vulnerability scanning solution, we've ...
1 year ago Esecurityplanet.com
VMware Fixes Critical Security Bugs in vRealize Log Analysis Tool - Organizations using the VMware vRealize Log Analysis tool are being urged to update it in order to patch several recently discovered security bugs. According to a security advisory issued by VMware yesterday, the company has identified a critical ...
2 years ago Bleepingcomputer.com
Exploit Released for Critical VMware vRealize Log Insight RCE Vulnerability - Horizon3 security researchers have released proof-of-concept code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its ...
2 years ago Bleepingcomputer.com CVE-2022-22972
Chinese Espionage Group Has Exploited VMware Flaw Since 2021 - A Chinese espionage group spotted last year by Mandiant researchers abusing a flaw that affected VMware virtualization tools has been exploiting another zero-day vulnerability in VMware's vCenter Server since at least late 2021, according to the ...
1 year ago Securityboulevard.com CVE-2023-34048 CVE-2023-20867
VMware makes Workstation Pro and Fusion Pro free for personal use - VMWare has made Workstation Pro and Fusion Pro free for personal use, allowing home users and students to set up their own virtualized test labs and play with another operating system at little to no cost. Things have been a little shaky since ...
1 year ago Bleepingcomputer.com
VMWare Patches Two Critical Vulnerabilities - How to Stay Secure - VMWare, one of the leading providers in virtualization solutions, recently released patches for two critical vulnerabilities. The vulnerabilities, identified as CVE-2023-10000 and CVE-2023-20001, have been determined to have severe security ...
2 years ago Thehackernews.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)