Broadcom has issued safety patches to deal with a high-severity safety flaw in VMware Instruments for Home windows that would result in an authentication bypass.
Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Frequent Vulnerability Scoring System (CVSS).
“VMware Instruments for Home windows accommodates an authentication bypass vulnerability attributable to improper entry management,” Broadcom mentioned in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Home windows visitor VM might acquire the power to carry out sure high-privilege operations inside that VM.”
Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity firm Constructive Applied sciences.
CVE-2025-22230 impacts VMware Instruments for Home windows variations 11.x.x and 12.x.x. It has been fastened in model 12.5.1. There are not any workarounds that deal with the difficulty.
CrushFTP Discloses New Flaw
The event comes as CrushFTP has warned clients of an “unauthenticated HTTP(S) port entry” vulnerability affecting CrushFTP variations 10 and 11. It has but to be assigned a CVE identifier.
“This concern impacts CrushFTP v10/v11 however doesn’t work if in case you have the DMZ operate of CrushFTP in place,” the corporate mentioned. “The vulnerability was responsibly disclosed, it’s not getting used actively within the wild that we all know of, no additional particulars might be given at the moment.”
In accordance with particulars shared by cybersecurity firm Rapid7, profitable exploitation of the vulnerability might result in unauthenticated entry through an uncovered HTTP(S) port.
With safety flaws in VMware and CrushFTP beforehand exploited by malicious actors, it is important that customers transfer rapidly to use the updates as quickly as attainable.
