CVE-2025-22247 is a moderate-severity vulnerability in VMware Tools affecting versions 11.x.x and 12.x.x on Windows and Linux. It enables low-privileged users within a guest virtual machine to tamper with local files, triggering insecure file operations. macOS is not affected.
Vulnerability Summary
- CVE ID: CVE-2025-22247
- Severity: Moderate (CVSS v3.1 score: 6.1)
- Attack Vector: Local (inside guest VM)
- Prerequisites: Non-administrative access within the guest
- Impact: File manipulation leading to unsafe operations within the VM
The flaw resides in the way VMware Tools handles file operations initiated from within the virtual machine. While the vulnerability does not escape the guest VM, it can be part of a local privilege escalation or lateral movement chain in multi-tenant environments.
Affected Software
- VMware Tools 11.x.x and 12.x.x on Windows and Linux
- macOS versions are not affected
Patching and Mitigation
Broadcom has released VMware Tools 12.5.2 to fix the issue for most systems. For Windows 32-bit, VMware Tools 12.4.7 (included in 12.5.2) addresses the vulnerability. On Linux systems, patches will be distributed by the respective Linux vendors via updated open-vm-tools packages.
There are no workarounds. Patching is the only mitigation.
Additional Context
The VMware Tools File Tampering Vulnerability (CVE-2025-22247) adds to a growing list of security issues in VMware’s virtualization stack. Recent examples include the TOCTOU vulnerability CVE-2025-22224 and CVE-2024-43590, both of which impacted ESXi and Workstation products.
These disclosures highlight ongoing risks in virtualization environments and the need for regular updates to core components like VMware Tools.
Organizations using shared infrastructure or multi-tenant virtual machines should evaluate their exposure and apply the latest patches to prevent file-level manipulation that could be used in privilege escalation or internal attack chains.