Broadcom has recently issued critical security updates to mitigate a serious vulnerability in VMware Tools for Windows. Recognized as CVE-2025-22230, this flaw poses a significant risk as it allows for potential authentication bypass, earning it a CVSS score of 7.8. The vulnerability arises from inadequate access control measures within the VMware Tools application.
In an official statement, Broadcom noted, “VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control.” This issue enables a malicious actor with limited privileges on a Windows guest virtual machine (VM) to execute high-privilege operations, effectively escalating their access and control within that environment. The vulnerability affects VMware Tools for Windows versions 11.x.x and 12.x.x and has been resolved in version 12.5.1. No workarounds exist to address the vulnerability prior to updating.
The flaw was disclosed by Sergey Bliznyuk from Positive Technologies, a cybersecurity firm based in Russia. As with many vulnerabilities, the potential for exploitation can lead to broader security risks, particularly if they remain unpatched.
Simultaneously, CrushFTP has alerted its customers to another security issue concerning “unauthenticated HTTP(S) port access” in versions 10 and 11 of its service. This vulnerability, which is currently without a CVE designation, specifically affects configurations where the DMZ function is not implemented. Although not known to be actively exploited, the potential for unauthorized access remains a security concern.
According to Rapid7, successful exploitation of this CrushFTP vulnerability could grant attackers unauthenticated access via an exposed HTTP(S) port, further amplifying risks associated with unaddressed vulnerabilities. In the context of the MITRE ATT&CK framework, adversaries may employ tactics such as initial access through exposed ports and privilege escalation techniques following unauthorized entry.
Moreover, a proof-of-concept (PoC) exploit has been released for a different CrushFTP flaw, now identified as CVE-2025-31161. This vulnerability carries a critical CVSS score of 9.8 and allows unauthenticated remote access through HTTP requests to CrushFTP, bypassing necessary authentication measures. The security issue is rooted in improper handling of S3 authentication headers, particularly related to user configurations not accounting for specific character validations in usernames.
ProjectDiscovery has detailed the exploit process, indicating that attackers can employ a straightforward approach to gain unauthorized access by crafting specific HTTP requests. The Shadowserver Foundation has already reported active exploitation attempts targeting this vulnerability following the PoC release, highlighting the ongoing risk to users.
As exploitation attempts intensify, organizations utilizing VMware Tools and CrushFTP are urged to prioritize applying the necessary security updates to mitigate associated risks. Both vulnerabilities underline the critical importance of timely patching and proactive vulnerability management within any robust cybersecurity strategy.
In light of these recent events, business owners are reminded of the evolving threat landscape and the necessity for vigilant cybersecurity practices, including the regular updating of software and thorough vulnerability assessments to safeguard sensitive data.
