Article Details

New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround. Broadcom has issued security patches to address a high-severity security flaw in VMware Tools for Windows that could lead to an authentication bypass. Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Common Vulnerability Scoring System (CVSS). "VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control," Broadcom said in an alert issued Tuesday. "A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM." Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity company Positive Technologies. CVE-2025-22230 impacts VMware Tools for Windows versions 11.x.x and 12.x.x. It has been fixed in version 12.5.1. There are no workarounds that address the issue. CrushFTP Discloses New Flaw The development comes as CrushFTP has warned customers of an "unauthenticated HTTP(S) port access" vulnerability affecting CrushFTP versions 10 and 11. It has yet to be assigned a CVE identifier. "This issue affects CrushFTP v10/v11 but does not work if you have the DMZ function of CrushFTP in place," the company said. "The vulnerability was responsibly disclosed, it is not being used actively in the wild that we know of, no further details will be given at this time." According to details shared by cybersecurity company Rapid7, successful exploitation of the vulnerability could lead to unauthenticated access via an exposed HTTP(S) port. With security flaws in VMware and CrushFTP previously exploited by malicious actors, it's essential that users move quickly to apply the updates as soon as possible.