A moderate-severity weakness in VMware Tools (for Windows and Linux) has been found that allows users with non-administrator access inside a guest VM to alter certain files and induce insecure operations, potentially breaking the virtual machine’s integrity.
Key Takeaways
- The flaw (CVE-2025-22247) affects VMware Tools versions 11.x and 12.x on Windows and Linux (macOS unaffected).
- An attacker with limited permissions in a guest VM can tamper local files and trigger unsafe behavior within that VM.
- VMware has released patched versions to fix this. No mitigations or workarounds currently exist — updating is the only effective fix.
The Vulnerability Explained
- The vulnerability deals with insecure file handling inside VMware Tools: a malicious actor inside the guest OS (with non-admin privileges) can manipulate files so that VMware Tools performs unsafe operations.
- Because VMware Tools runs with elevated privileges in the guest to carry out tasks (driver functions, guest-host operations), abusing this file handling can let the attacker escalate or compromise guest operations.
- The issue has been assigned a CVSS v3 score of 6.1 (moderate severity).
- The flaw was discovered and reported by security researcher Sergey Bliznyuk.
- Though the attack is limited to within the guest VM, in multi-tenant or cloud environments, this could be chained into broader compromise or lateral movement.
Affected Systems & Risk
- Affected versions: VMware Tools 11.x and 12.x, on Windows and Linux. (macOS versions are not affected.)
- Attack prerequisites: The attacker must already have a non-administrative user account inside the guest VM.
- Impact: File tampering can lead to changed configurations, elevated privileges, or misuse of operations within the guest.
- Why this matters: In environments where many virtual machines share infrastructure, guest compromise could be used to escalate or spread attacks.
Remediation & Best Practices
- VMware has released VMware Tools version 12.5.2 as the patched release for both Windows and Linux.
- For 32-bit Windows systems, the fix is in VMware Tools 12.4.7 (included in the 12.5.2 bundle).
- Linux distributions will adopt fixes via their respective open-vm-tools packages (version names may vary by distro/vendor).
- No workaround available: patching is the only recommended mitigation.
- Administrators in virtualized or cloud environments should, as soon as possible, deploy the updates across all affected VMs.
- Monitor for unauthorized file changes inside guest VMs.
- Apply principle of least privilege to VM users to limit damage if file tampering is possible.
Mourad Maacha 
Leave a comment