VMware Tools VGAuth Vulnerabilities

VMware Tools VGAuth Vulnerabilities

No Comments

Overview:
Two critical local privilege escalation vulnerabilities were recently discovered in the VGAuth service component of VMware Tools for Windows virtual machines (VMs). These are tracked as:

  • CVE-2025-22230
  • CVE-2025-22247

Both issues allow attackers with low privileges inside a Windows guest VM to escalate their access to SYSTEM level, the highest level of privilege on Windows, which could lead to complete control of the affected VM.

Vulnerability #1: CVE-2025-22230

  • Title: Named Pipe Hijacking in VGAuthService
  • Severity: Critical
  • Attack Vector: Local (inside guest VM)
  • Patched in: VMware Tools 12.5.1

Technical Details:

  • What is VGAuth?
    VGAuth is VMware’s VM Guest Authentication service, which handles authentication between the host and the guest OS in VMware environments.
  • Named Pipe Hijacking:
    VGAuth creates a named pipe (a method used for inter-process communication in Windows) using a name based on the logged-in user. However, the pipe name was predictable and not adequately protected, meaning a low-privileged attacker could pre-create the pipe under their control.
  • Attack Flow:
  1. Attacker guesses the pipe name VGAuth will use (due to predictable naming).
  2. Creates a malicious pipe before VGAuth does.
  3. When VGAuth attempts SYSTEM-level operations using the pipe, it connects to the attacker’s pipe.
  4. The attacker’s process now executes actions as SYSTEM.

Vulnerability #2: CVE-2025-22247

  • Title: Path Traversal in Alias Store Operations
  • Severity: Critical
  • Attack Vector: Local
  • Patched in: VMware Tools 12.5.2

Technical Details:

  • Alias Store Functionality:
    VGAuth maintains a data store for credential alias information associated with VM users.
  • Security Flaw:
    Username input was not properly sanitized, so attackers could insert path traversal sequences (e.g., ..\..\) into usernames.
  • Impact:
  • This allowed attackers to:
    • Escape the intended directory scope.
    • Delete arbitrary files.
    • Overwrite or manipulate DLLs via symlink (symbolic link) attacks.
  • Result: These attacks open doors to privilege escalation, data tampering, and potential persistence mechanisms on the guest VM.

Other Relevant VGAuth Vulnerabilities

CVE-2023-20867

  • Let an attacker on a compromised ESXi host bypass guest OS authentication entirely.
  • Allowed execution of privileged guest commands without credentials.
  • Reportedly exploited in the wild, indicating real-world attacks took place.

CVE-2022-22977

  • Allowed denial of service (crashing the service) and occasional information disclosure by interfering with VGAuth files.
  • Lower severity, but still relevant in hardened or compliance-critical environments.

Mitigation Guidance

  • Upgrade to VMware Tools 12.5.2 or higher on all Windows guest VMs to ensure both CVE-2025 vulnerabilities are patched.
  • For older vulnerabilities like CVE-2023-20867 or CVE-2022-22977:
  • Review whether your hypervisor and guest VMware Tools versions are still within supported ranges.
  • Upgrade or deprecate older configurations accordingly.

Security Best Practices

  • Regularly update VMware Tools even though it is often seen as “just a utilities package.”
  • Treat guest-to-host integration services (like VGAuth) as critical attack surfaces, especially in environments with lateral movement risks.
  • Use least privilege principles wherever possible—restrict console access to VMs and monitor for unusual system pipe or alias activity.

Exploitation Evidence

CVE-2025-22230 and CVE-2025-22247 (2025)

  • No confirmed in-the-wild exploitation as of July 2025 for CVE-2025-22230 or CVE-2025-22247.
    • Multiple security advisories and vulnerability databases report these flaws as highly exploitable in test or lab environments, with successful demonstration by researchers using proof-of-concept exploits. However, there is no public record of widespread malware, ransomware, or APT groups exploiting these two 2025 CVEs in the wild.
    • Security experts and vendors strongly urge patching due to the ease and impact of exploitation if an attacker already has local access, but recommend close monitoring as these vulnerabilities are actively discussed in the cybersecurity community, increasing the risk of future exploitation.

CVE-2023-20867 (2023)

  • Confirmed as actively exploited in the wild by sophisticated threat actors, including the UNC3886 APT group.
    • Attackers leveraged this “host-to-guest” authentication bypass in real-world intrusions, targeting ESXi hosts and gaining privileged access to guest VMs without guest credentials or logging.
    • This exploitation has been documented by threat intelligence (Mandiant, Google Cloud, CISA KEV catalog), and is referenced as a notable example of a VMware zero-day targeted by advanced persistent threat actors.
    • Ransomware groups and other actors have also been linked to leveraging CVE-2023-20867 in multi-step attacks against virtual infrastructure.
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.