Category Archives: Vulnerability

VMware Windows Tools Vulnerability Causes Authentication Bypass (CVE-2025-22230)

Posted on by

This article peeked my interest due to the nature of it being a VMware vulnerability. Between the fact that I worked for VMware for many years and I was just working inside VMware Workstation Pro building out a Windows environment the last few days made me take a second look on this article.

The bigger company and more widely used your products, the more it makes you a target for hackers. This just proves no matter how much they may dedicate to securing software, there is always someone smarter and with the time and resources to find a way in!

Below article written by Sergiu Gatlan

Broadcom released security updates today to fix a high-severity authentication bypass vulnerability in VMware Tools for Windows.

VMware Tools is a suite of drivers and utilities designed to improve performance, graphics, and overall system integration for guest operating systems running in VMware virtual machines.

The vulnerability (CVE-2025-22230) is caused by an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies (a sanctioned Russian cybersecurity company accused of trafficking hacking tools).

Local attackers with low privileges can exploit it in low-complexity attacks that don’t require user interaction to gain high privileges on vulnerable VMs.

“A malicious actor with non-administrative privileges on a Windows guest VM may gain ability to perform certain high-privilege operations within that VM,” VMware explains in a security advisory published on Tuesday.

Earlier this month, Broadcom also patched three VMware zero days (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), which were tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center.

As the company explained at the time, attackers with privileged administrator or root access can chain these vulnerabilities to escape the virtual machine’s sandbox.

Days after patches were released, threat monitoring platform Shadowserver found over 37,000 internet-exposed VMware ESXi instances vulnerable to CVE-2025-22224 attacks.

Ransomware gangs and state-sponsored hackers frequently target VMware vulnerabilities, as VMware products are widely used in enterprise operations to store or transfer sensitive corporate data.

For instance, in November, Broadcom warned that attackers were exploiting two VMware vCenter Server vulnerabilities: a privilege escalation to root (CVE-2024-38813) and a critical remote code execution flaw (CVE-2024-38812) identified during China’s 2024 Matrix Cup hacking contest.

In January 2024, Broadcom also disclosed that Chinese state hackers had used a critical vCenter Server zero-day vulnerability (CVE-2023-34048) since late 2021 to deploy VirtualPita and VirtualPie backdoors on affected ESXi systems.

SOURCE ARTICLE:

https://www.bleepingcomputer.com/news/security/broadcom-warns-of-authentication-bypass-in-vmware-windows-tools/?utm_source=tldrinfosec

(3) ESXi Zero Day Vulnerabilities: CVE-2025–22224/22225/22226

Posted on by

Written By: Kevin Beaumont

March 4th, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226.

Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor.

This is backed up by VMware’s official Github, which says:

Yes, this is being actively exploited in the wild.

Once you have ESX access, you can access everything on the ESX server — which includes things such as VM data, and crucially ESX config and mounted storage. Using ESX config and mounted network storage, you can traverse the VMware environment.

My pretty diagram:

Feel free to use this carefully prepared graphic to brief your board or the public

For example, orgs use vMotion to allow virtual machines to automatically move across ESX hosts, to balance load and allow for maintenance without downtime (it’s how VMware security patching works). Because of this, a threat actor has direct access to storage of VMs both on and not on that host by design — they’re basically loose on the backend.

Areas of concern

ESXi is a ‘black box’ environment, where you don’t have EDR tools and such — it is locked down. As such, a hypervisor escape means a threat actor is outside of all security tooling and monitoring. They can, for example, access Active Directory Domain Controller databases without triggering any alerts anywhere in the stack, or delete data.

This is frequently seen in ransomware incidents, where people directly exploit the ESX server or vCenter server over the VMware management network using unpatched vulnerabilities. Once they reach ESX, they reach directly into storage across the whole cluster.

However, being able to reach the ESX server hypervisor directly from the Virtual Machine significantly raises the risk. For example, you don’t need to find the ESX server details, or reach a segregated network.

‘But Kevin’ you may say ‘if a threat actor gained access to a VM it’d be game over’. Well… not so much. Threat actors gain access to endpoints all the time in any large org, e.g. malware initial access on end user PCs. When you have VDIs on VMware, you have a problem. When you have shared servers on VMware, you have a problem. Compromise one of system in a company is not usually a big problem in the short term. Immediate compromise of all of them is a big problem.

Additionally, there are around 500 Managed VMware providers, who operate as effectively clouds, allowing SMBs to purchase fully managed VMs, on demand compute basically. A compromise of one customer VM would allow compromise of every customer VM in the same managed provider.

This also applies to companies who have built their own Private Clouds using VMware, and use VMware to segregate business units.

Versions impacted

The Broadcom advisory is currently incomplete for some reason. For example VMware’s Github lists versions 6.5 and 6.7 as impacted, and patches are available on VMware’s website — but VMware’s advisory on the Broadcom site doesn’t list them as impacted as of writing. Basically, every release of ESX is impacted.

I understand 5.5 is also impacted, however it is out of support so no patch is available.

Continue reading article here!

SAML Roulette – The Hackers Typically Win

Posted on by
SAML
SAML

Article by Gareth Heyes

Introduction:

In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library.

While researching this, GitHub independently discovered and patched our vulnerabilities. However, their disclosure omits key technical details, including the specific mutation and how to exploit it without authentication.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

We believe sharing the full details on how these attacks work is crucial for improving security by empowering everyone with the knowledge needed to identify, mitigate, and defend against such threats effectively.

This research began after we came across a fascinating post by Juho Forsén detailing an XML round-trip vulnerability. What started as curiosity quickly spiraled into a deep dive into the intricacies of SAML, uncovering far more than we initially expected. We spent months exploring various round-trip attacks with the goal of presenting our findings at Black Hat. However, as luck would have it, we ran into a research collision with Alexander Tan ( ahacker1 ), leading to our discoveries being patched before we could submit. Despite that twist, we believe this work is still worth sharing, and while it may not be hitting Black Hat this year, we hope you find it just as compelling.

Round-trip attacks 101

SAML libraries often parse an XML document, store it as a string, and later re-parse it. In Ruby-SAML, this process involves two different parsers: REXML, which is used to parse the document and validate the signature, and Nokogiri, which is used to access attributes. If any mutations occur during this process, the document may not be identical when parsed a second time.

For secure authorization, the document must be parsed and serialized consistently; otherwise, structural inconsistencies may arise. These inconsistencies can be exploited in a round-trip attack. By leveraging XML comments and CDATA sections, an attacker can manipulate the document’s structure during mutation, bypassing signature verification and effectively gaining unauthorized access by assuming another user’s identity.

Round-trip attack on Ruby SAML/REXML

To facilitate testing, we developed a testbed to identify round-trip vulnerabilities and efficiently evaluate multiple SAML libraries. I began by examining the document type definition (DOCTYPE), as similar vulnerabilities had been discovered in the past. My initial approach focused on analyzing how XML entities were parsed, so I conducted tests in that area.

In Juho’s original discovery, notation declarations were used to introduce inconsistencies in how quotes were interpreted. Building on this, I investigated whether any additional vulnerabilities had been overlooked. After extensive testing, I found that mutations could be introduced within the SYSTEM identifier.

Continue reading the rest of the article by Gareth Heyes below!

SOURCE ARTICLE: Click Here!