Broadcom has released security patches to fix a high-severity security vulnerability in VMware Tools for Windows, which could potentially allow for an authentication bypass.
The vulnerability, tracked as CVE-2025-22230, has a severity rating of 7.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale.
According to Broadcom, “VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control,” as stated in a security alert issued on Tuesday. “A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM.”
The discovery and reporting of this flaw are credited to Sergey Bliznyuk of the Russian cybersecurity company Positive Technologies.
The vulnerability CVE-2025-22230 affects VMware Tools for Windows versions 11.x.x and 12.x.x, and has been fixed in version 12.5.1. Unfortunately, there are no available workarounds to address this issue.
CrushFTP Discloses New Vulnerability
In a related development, CrushFTP has informed its customers about an “unauthenticated HTTP(S) port access” vulnerability affecting CrushFTP versions 10 and 11, although a CVE identifier has not been assigned yet.
According to CrushFTP, “This issue affects CrushFTP v10/v11 but does not work if you have the DMZ function of CrushFTP in place. The vulnerability was responsibly disclosed, and it is not being actively exploited in the wild that we know of. No further details will be provided at this time.”
As explained by cybersecurity company Rapid7 in a detailed report, successful exploitation of this vulnerability could result in unauthenticated access via an exposed HTTP(S) port.
Given that security flaws in VMware and CrushFTP have been previously exploited by malicious actors, it is essential for users to apply the updates as soon as possible.
