VMware Tools: VMware Tools insecure file handling (CVE-2025-22247) #shorts
Summary
Hello and welcome to today’s security podcast. We’re focusing on CVE-2025-22247, an insecure file handling vulnerability in VMware Tools that was published on May 12, 2025. This flaw allows a malicious actor with only non-administrative privileges inside a guest VM to tamper with local files and trigger unintended file operations within that VM.
Product details
The issue affects VMware Tools versions earlier than 12.5.2, including the open-vm-tools packages commonly used in Linux distributions. Debian 11 issued advisory DLA-4165-1 to address this flaw in its open-vm-tools package. Fedora 41 and Fedora 42 have both been updated to open-vm-tools version 12.5.2 to remediate CVE-2025-22247.
Vulnerability type summary
CVE-2025-22247 is categorized under CWE-59: Improper Link Resolution Before File Access, also known as ‘Link Following.’ In this class of vulnerability, an attacker can exploit symbolic links or manipulated file paths to get the application to operate on files it shouldn’t.
Details of the vulnerability
Under the hood, VMware Tools performs certain file operations during guest-host integrations. An attacker with low-level VM access can replace or create specially crafted symlinks or files in the guest filesystem. When VMware Tools next performs its file handling routines—such as updating shared folders or copying tools binaries—it follows those links and acts on unintended targets. This can lead to unauthorized file writes, overwrites or reads inside the guest, and in some configurations may be leveraged to escape the guest or compromise host-side processes.
Conclusion
To protect your environments, immediately update VMware Tools or open-vm-tools to version 12.5.2 or later. If you’re running Debian 11, apply the DLA-4165-1 patch. Fedora users should ensure they’re on the patched Fedora 41 or 42 packages. Keeping guest integrations current is critical to maintaining isolation and preventing privilege escalation, so make this update part of your standard patch cycle.
Watch the full video on YouTube: CVE-2025-22247
Remediation and exploitation details
This chain involves the following actors
- Malicious Guest User: A non-administrative user inside the virtual machine who seeks to exploit the file handling vulnerability.
- Virtual Machine Administrator: Responsible for patching VMware Tools or open-vm-tools on guest machines.
This following systems are involved
- Guest Virtual Machine (Runs user workloads and VMware Tools for integration with the host.): Environment in which the insecure file operations occur.
- VMware Tools / open-vm-tools (Provides guest-host communication, file copy and synchronization services.): Contains the insecure file handling component to be exploited.
Attack entry point
- User-Writable File Directory: Any directory inside the guest VM where the malicious user can create or modify files that VMware Tools will process.
Remediation actions
Exploitation actions
Reconnaissance
- ls /etc/vmware-tools
- grep -R 'guestfile' /usr/lib/vmware-tools
File Tampering
- ln -s /etc/shadow /tmp/vmware_temp_file
- echo 'payload' > /tmp/vmware_temp_file
Insecure File Handling Trigger
- Invoke file copy from host to guest
- Run a guest-host folder synchronization job
Privilege Misuse
- Tool writes to /etc/shadow via the symlink
- Elevates guest user access by corrupting system files
Post-Exploitation
- Extract password hashes from overwritten files
- Install backdoor with root permissions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683
- [2025-05-14] Debian 11 DLA-4165-1 advisory for open-vm-tools file handling vulnerability CVE-2025-22247.
- [2025-05-25] Fedora 41 updates open-vm-tools to version 12.5.2 to fix CVE-2025-22247.
- [2025-05-20] Fedora 42 updates open-vm-tools to version 12.5.2, fixing CVE-2025-22247.