Broadcom has issued security patches to handle a high-severity security flaw in VMware Instruments for Home windows that would result in an authentication bypass.
Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Frequent Vulnerability Scoring System (CVSS).
“VMware Instruments for Home windows incorporates an authentication bypass vulnerability as a result of improper entry management,” Broadcom mentioned in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Home windows visitor VM could achieve the power to carry out sure high-privilege operations inside that VM.”
Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity firm Optimistic Applied sciences.
CVE-2025-22230 impacts VMware Instruments for Home windows variations 11.x.x and 12.x.x. It has been fastened in model 12.5.1. There are not any workarounds that tackle the difficulty.
CrushFTP Discloses New Flaw
The event comes as CrushFTP has warned prospects of an “unauthenticated HTTP(S) port entry” vulnerability affecting CrushFTP variations 10 and 11. It has but to be assigned a CVE identifier.
“This problem impacts CrushFTP v10/v11 however doesn’t work you probably have the DMZ operate of CrushFTP in place,” the corporate mentioned. “The vulnerability was responsibly disclosed, it’s not getting used actively within the wild that we all know of, no additional particulars will probably be given right now.”
Based on particulars shared by cybersecurity firm Rapid7, profitable exploitation of the vulnerability may result in unauthenticated entry by way of an uncovered HTTP(S) port.
With security flaws in VMware and CrushFTP beforehand exploited by malicious actors, it is important that customers transfer shortly to use the updates as quickly as potential.
