Broadcom has issued a security patch to address high-strength security flaws in VMware tools for Windows that could lead to authentication bypass.
The vulnerability tracked as CVE-2025-22230 is rated 7.8 on the 10-point Common Vulnerability Scoring System (CVSS).
“VMware tools for Windows contain authentication bypass vulnerabilities due to inappropriate access control,” Broadcom said in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Windows Guest VM may gain the ability to perform certain highly sovereign operations within that VM.”
It is believed that the defects were discovered and reported by Russian cybersecurity company Sergei Briznyuk of Positive Technology.
CVE-2025-22230 affects VMware tools for Windows versions 11.xx and 12.xx. Fixed in version 12.5.1. There is no workaround to address the issue.
CrushFTP discloses new defects
The development is warning customers of “unauthenticated HTTP(s) port access” vulnerabilities affecting crushFTP versions 10 and 11, so the development is warning customers.
“This issue affects CrushFTP V10/V11, but it won’t work if you put crushFTP DMZ function in place,” the company said. “The vulnerabilities are disclosed responsibly and are not actively used in the wild as we know them. We cannot give any further details at this time.”
According to details shared by Cybersecurity Company Rapid7, successful vulnerability exploitation can lead to unrecognized access through exposed HTTP ports.
With VMware security flaws and CrushFTP, which was previously exploited by malicious actors, it is essential that users move quickly to apply the update as quickly as possible.
Source link
