The vulnerability allows local attackers without elevated privileges to perform high-level operations within vulnerable virtual machines.
Broadcom released a security update on Tuesday to address a critical authentication bypass vulnerability in VMware Tools for Windows, an essential suite that optimizes the performance and integration of guest operating systems in virtual machines (VMs) managed with VMware technology.
The vulnerability, cataloged as CVE-2025-22230, is due to a weakness in access control and was reported by Sergey Bliznyuk, a researcher at Positive Technologies, a Russian company sanctioned for allegedly trafficking hacking tools.
According to the security advisory issued by VMware (now owned by Broadcom), an attacker with low privileges on a Windows virtual machine could exploit this vulnerability to perform operations that would normally require elevated privileges within the same virtual machine.
“A malicious actor with non-administrative privileges on a Windows VM can potentially execute certain operations with elevated privileges on that VM,” Broadcom notes in its statement.
Risk of local privilege escalation without user interaction
The flaw can be exploited through low-complexity attacks that do not require user interaction, making it a realistic threat to enterprise environments operating with virtualized infrastructure. Although the attack vector is local, its impact is significant, as it would allow an internal or limited-access attacker to fully compromise the guest operating system.
A recent history of critical vulnerabilities in VMware
This new security advisory comes weeks after Broadcom patched three zero-day vulnerabilities in VMware (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), detected in active campaigns and reported by the Microsoft Threat Intelligence Center. In that case, attackers with administrator or root privileges could chain the flaws to escape the virtual machine sandbox, compromising the host or virtualization environment.
The monitoring platform Shadowserver soon detected over 37,000 instances of VMware ESXi exposed to the Internet vulnerable to CVE-2025-22224, highlighting the magnitude of the problem.
A priority target for criminal groups and state actors
VMware solutions are widely used in corporate environments, making them a common target for ransomware groups and state-sponsored actors. In November 2024, Broadcom already warned of the active exploitation of two critical vulnerabilities in vCenter Server, detected during a hacking competition held in China.
Additionally, in January 2024, it was revealed that groups linked to China had exploited a zero-day vulnerability in vCenter Server (CVE-2023-34048) since late 2021 to deploy the backdoors VirtualPita and VirtualPie on compromised ESXi servers.
Recommendations
Broadcom advises all system administrators and security personnel to update VMware Tools for Windows immediately to the latest available version. In sensitive environments, it is also recommended to review the activity logs of virtual machines and implement additional internal access control measures.
The company emphasizes that keeping virtualized environments up to date is essential to prevent serious incidents and avoid becoming a target of sophisticated cyberattacks.
More information and technical details about the vulnerability are available on the VMware security advisory page.