Broadcom released security updates today to fix a high-severity authentication bypass vulnerability in VMware Tools for Windows.
VMware Tools is a suite of drivers and utilities designed to improve performance, graphics, and overall system integration for guest operating systems running in VMware virtual machines.
The vulnerability (CVE-2025-22230) is caused by an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies (a sanctioned Russian cybersecurity company accused of trafficking hacking tools).
Local attackers with low privileges can exploit it in low-complexity attacks that don’t require user interaction to gain high privileges on vulnerable VMs.
“A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM,” VMware explains in a security advisory published on Tuesday.
Earlier this month, Broadcom also patched three VMware zero days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), which were tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center.
As the company explained at the time, attackers with privileged administrator or root access can chain these vulnerabilities to escape the virtual machine’s sandbox.
Days after patches were released, threat monitoring platform Shadowserver found over 37,000 internet-exposed VMware ESXi instances vulnerable to CVE-2025-22224 attacks.
Ransomware gangs and state-sponsored hackers frequently target VMware vulnerabilities, as VMware products are widely used in enterprise operations to store or transfer sensitive corporate data.
For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China’s 2024 Matrix Cup hacking contest.
In January 2024, Broadcom also disclosed that Chinese state hackers had used a critical vCenter Server zero-day vulnerability (CVE-2023-34048) since late 2021 to deploy VirtualPita and VirtualPie backdoors on affected ESXi systems.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.