VMware Tools VGAuth Vulnerabilities

PravinKarthik

6 months ago

What is VGAuth?
VGAuth is VMware’s VM Guest Authentication service, which handles authentication between the host and the guest OS in VMware environments.
Named Pipe Hijacking:
VGAuth creates a named pipe (a method used for inter-process communication in Windows) using a name based on the logged-in user. However, the pipe name was predictable and not adequately protected, meaning a low-privileged attacker could pre-create the pipe under their control.
Attack Flow:

Attacker guesses the pipe name VGAuth will use (due to predictable naming).
Creates a malicious pipe before VGAuth does.
When VGAuth attempts SYSTEM-level operations using the pipe, it connects to the attacker’s pipe.
The attacker’s process now executes actions as SYSTEM.

Alias Store Functionality:
VGAuth maintains a data store for credential alias information associated with VM users.
Security Flaw:
Username input was not properly sanitized, so attackers could insert path traversal sequences (e.g., ..\..\) into usernames.
Impact:
This allowed attackers to:
- Escape the intended directory scope.
- Delete arbitrary files.
- Overwrite or manipulate DLLs via symlink (symbolic link) attacks.
Result: These attacks open doors to privilege escalation, data tampering, and potential persistence mechanisms on the guest VM.

Let an attacker on a compromised ESXi host bypass guest OS authentication entirely.
Allowed execution of privileged guest commands without credentials.
Reportedly exploited in the wild, indicating real-world attacks took place.

Allowed denial of service (crashing the service) and occasional information disclosure by interfering with VGAuth files.
Lower severity, but still relevant in hardened or compliance-critical environments.

Upgrade to VMware Tools 12.5.2 or higher on all Windows guest VMs to ensure both CVE-2025 vulnerabilities are patched.
For older vulnerabilities like CVE-2023-20867 or CVE-2022-22977:
Review whether your hypervisor and guest VMware Tools versions are still within supported ranges.
Upgrade or deprecate older configurations accordingly.

Regularly update VMware Tools even though it is often seen as “just a utilities package.”
Treat guest-to-host integration services (like VGAuth) as critical attack surfaces, especially in environments with lateral movement risks.
Use least privilege principles wherever possible—restrict console access to VMs and monitor for unusual system pipe or alias activity.

No confirmed in-the-wild exploitation as of July 2025 for CVE-2025-22230 or CVE-2025-22247.
- Multiple security advisories and vulnerability databases report these flaws as highly exploitable in test or lab environments, with successful demonstration by researchers using proof-of-concept exploits . However, there is no public record of widespread malware, ransomware, or APT groups exploiting these two 2025 CVEs in the wild.
- Security experts and vendors strongly urge patching due to the ease and impact of exploitation if an attacker already has local access, but recommend close monitoring as these vulnerabilities are actively discussed in the cybersecurity community, increasing the risk of future exploitation .

Confirmed as actively exploited in the wild by sophisticated threat actors, including the UNC3886 APT group .
- Attackers leveraged this “host-to-guest” authentication bypass in real-world intrusions, targeting ESXi hosts and gaining privileged access to guest VMs without guest credentials or logging.
- This exploitation has been documented by threat intelligence (Mandiant, Google Cloud, CISA KEV catalog), and is referenced as a notable example of a VMware zero-day targeted by advanced persistent threat actors .
- Ransomware groups and other actors have also been linked to leveraging CVE-2023-20867 in multi-step attacks against virtual infrastructure.