A new high-severity vulnerability (CVE-2025-22230) has been disclosed in VMware Tools for Windows. The flaw allows a local user with non-administrative privileges to bypass authentication and perform high-privilege operations within the guest VM. While there’s no indication of active exploitation yet, the potential for abuse makes this a critical issue for environments relying on VMware Tools.
Key Details
CVE ID: CVE-2025-22230
Severity: High (CVSS v3 score: 7.8)
Affected Version: 11.x.x and 12.x.x before 12.5.1
Patched Version: VMware Tools 12.5.1 (Release Notes)
Impact
The vulnerability only affects the Windows versions of VMWare Tools, so macOS and Linux users are not at risk.
The vulnerability is caused by improper access control, which allows a low-privilege user within a Windows guest VM to escalate privileges and execute unauthorized operations. In shared or sensitive environments, this could be leveraged to disable security tools, gain persistence, or access protected data – all without needing admin credentials.
For organizations relying on virtual desktop infrastructure (VDI), test environments, or sandboxed Windows VMs, this flaw could become an entry point for deeper compromise if not addressed swiftly.
Remediation
Broadcom has released a patched version of VMWare Tools that addresses this issue (12.5.1). We recommend the following actions:
- Immediately update all Windows guest VMs running affected versions of VMware Tools.
- Verify update deployment through system management tools or vulnerability scanners.
- Monitor for any unusual privilege escalation attempts within guest VMs.
- If patching is delayed, implement enhanced monitoring and alerting for VM activity.
