Recent discoveries have unveiled two critical vulnerabilities within the VMware Guest Authentication Service (VGAuth) component of VMware Tools. These flaws, identified as CVE-2025-22230 and CVE-2025-22247, permit local attackers to escalate their privileges from any user account to SYSTEM-level access on Windows virtual machines (VMs). This escalation poses significant security risks, potentially allowing unauthorized users to execute high-privilege operations within affected VMs.
Understanding the Vulnerabilities
1. Authentication Bypass via Named Pipe Hijacking (CVE-2025-22230)
The first vulnerability arises from a flaw in VGAuth’s implementation of named pipes, which are used for inter-process communication. VGAuth creates user-specific private pipes with predictable naming conventions, such as `\\.\pipe\vgauth-service-
This oversight allows a low-privileged attacker to create a malicious named pipe before VGAuth does. For instance, an attacker can create a pipe named `\\.\pipe\vgauth-service-system` with permissive access controls. When VGAuth attempts to create the pipe for the SYSTEM user, it inadvertently connects to the attacker’s pipe, granting the attacker SYSTEM-level privileges within the VGAuth protocol. This access enables the attacker to manipulate certificate alias stores, ticket validation mechanisms, and SAML authentication tokens, facilitating further privilege escalation.
2. Path Traversal and Insecure Link Resolution (CVE-2025-22247)
The second vulnerability exploits insufficient input validation in VGAuth’s alias store management functions. The `QueryAliases` and `RemoveAlias` operations accept unsanitized username parameters, allowing attackers to perform path traversal attacks. By crafting input such as `../../../../../../evil`, an attacker can navigate out of the intended directory (`C:\ProgramData\VMware\VMware VGAuth\aliasStore`) and access or modify arbitrary files.
Attackers can further exploit this vulnerability by combining symbolic link manipulation with time-of-check/time-of-use (TOCTOU) attacks. By creating junction points and leveraging Opportunistic Locks for precise timing, they can redirect file operations to privileged system locations like `C:\Windows\System32`. This redirection enables DLL hijacking, allowing the execution of code with SYSTEM-level privileges.
Affected Versions and Severity
Both vulnerabilities affect VMware Tools installations across ESXi-managed environments and standalone VMware Workstation deployments. The specific details are as follows:
– CVE-2025-22230: Authentication bypass via named pipe hijacking
– CVSS 3.1 Score: 7.8 (High)
– Affected Version: VMware Tools 12.5.0
– Patched Version: VMware Tools 12.5.1
– CVE-2025-22247: Path traversal and insecure link resolution
– CVSS 3.1 Score: 6.1 (Medium)
– Affected Version: VMware Tools 12.5.0
– Patched Version: VMware Tools 12.5.2
Mitigation and Recommendations
Broadcom has addressed these vulnerabilities through coordinated security updates:
– CVE-2025-22230: Patched in VMware Tools 12.5.1, released on March 25, 2025. The update introduces randomized private pipe names with UUID suffixes and enforces the `FILE_FLAG_FIRST_PIPE_INSTANCE` flag to prevent hijacking attacks.
– CVE-2025-22247: Patched in VMware Tools 12.5.2, released on May 12, 2025. The update implements input validation to reject usernames containing unsafe path traversal characters, runtime path validation using `GetFinalPathNameByHandleW`, and a new `allowSymlinks` configuration flag set to false by default.
Organizations utilizing VMware Tools in Windows guest environments are strongly advised to upgrade to the latest versions to mitigate these critical security risks. Prompt application of these patches is essential to maintain the integrity and security of virtualized environments.
