Broadcom has issued security patches to address a high-severity security flaw in VMware Tools for Windows that could lead to an authentication bypass.
Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS).
“VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control,” Broadcom said in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM.”
Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity company Positive Technologies.
CVE-2025-22230 impacts VMware Tools for Windows versions 11.x.x and 12.x.x. It has been fixed in version 12.5.1. There are no workarounds that address the issue.
CrushFTP Discloses New Flaw
The development comes as CrushFTP has warned customers of an “unauthenticated HTTP(S) port access” vulnerability affecting CrushFTP versions 10 and 11. It has yet to be assigned a CVE identifier.
“This issue affects CrushFTP v10/v11 but does not work if you have the DMZ function of CrushFTP in place,” the company said. “The vulnerability was responsibly disclosed, it is not being used actively in the wild that we know of, no further details will be given at this time.”
According to details shared by cybersecurity company Rapid7, successful exploitation of the vulnerability could lead to unauthenticated access via an exposed HTTP(S) port.
With security flaws in VMware and CrushFTP previously exploited by malicious actors, it’s essential that users move quickly to apply the updates as soon as possible.
Update
The vulnerability impacting CrushFTP has been assigned the CVE identifier CVE-2025-2825. It carries a CVSS score of 9.8 out of 10, indicating critical severity.
“CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access,” according to an advisory for the flaw. “Remote and unauthenticated HTTP requests to CrushFTP may allow attackers to gain unauthorized access.”
ProjectDiscovery, in a technical write-up, said the vulnerability resides in a component that handles the ability to use Amazon S3 as the backend file system. “The vulnerability exists in the loginCheckHeaderAuth() method of ServerSessionHTTP.java, which processes HTTP requests with S3-style authorization headers,” it said.
Specifically, the issue has to do with a setting called “lookup_user_pass” that’s set to true by default when processing S3 authentication headers if the username doesn’t contain a tilde character (~).
This allows unauthenticated attackers to bypass authentication and gain unauthorized access, entirely bypassing signature and password validation steps designed to ensure the request is authentic. A proof-of-concept (PoC) exploit has been released for CVE-2025-2825, making it essential that users apply the latest fix.
“Exploiting this vulnerability is straightforward,” ProjectDiscovery said. “An attacker only needs to craft an HTTP request with: 1) An AWS S3-style authorization header with a valid username. 2) A CrushAuth cookie with matching c2f parameter values.”
(The story was updated after publication to include details of the CVE identifier and the PoC.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this