Broadcom has issued safety patches to deal with a high-severity safety flaw in VMware Instruments for Home windows that might result in an authentication bypass.
Tracked as CVE-2025-22230, the vulnerability is rated 7.8 on the ten-point Frequent Vulnerability Scoring System (CVSS).
“VMware Instruments for Home windows comprises an authentication bypass vulnerability because of improper entry management,” Broadcom stated in an alert issued Tuesday. “A malicious actor with non-administrative privileges on a Home windows visitor VM might achieve the flexibility to carry out sure high-privilege operations inside that VM.”
Credited with discovering and reporting the flaw is Sergey Bliznyuk of Russian cybersecurity firm Constructive Applied sciences.
CVE-2025-22230 impacts VMware Instruments for Home windows variations 11.x.x and 12.x.x. It has been mounted in model 12.5.1. There aren’t any workarounds that tackle the problem.
CrushFTP Discloses New Flaw
The event comes as CrushFTP has warned clients of an “unauthenticated HTTP(S) port entry” vulnerability affecting CrushFTP variations 10 and 11. It has but to be assigned a CVE identifier.
“This difficulty impacts CrushFTP v10/v11 however doesn’t work if in case you have the DMZ operate of CrushFTP in place,” the corporate stated. “The vulnerability was responsibly disclosed, it’s not getting used actively within the wild that we all know of, no additional particulars might be given at the moment.”
In line with particulars shared by cybersecurity firm Rapid7, profitable exploitation of the vulnerability might result in unauthenticated entry through an uncovered HTTP(S) port.
With safety flaws in VMware and CrushFTP beforehand exploited by malicious actors, it is important that customers transfer rapidly to use the updates as quickly as attainable.
Replace
The vulnerability impacting CrushFTP has been assigned the CVE identifier CVE-2025-2825. It carries a CVSS rating of 9.8 out of 10, indicating vital severity.
“CrushFTP variations 10.0.0 by 10.8.3 and 11.0.0 by 11.3.0 are affected by a vulnerability that will end in unauthenticated entry,” in keeping with an advisory for the flaw. “Distant and unauthenticated HTTP requests to CrushFTP might permit attackers to achieve unauthorized entry.”
ProjectDiscovery, in a technical write-up, stated the vulnerability resides in a part that handles the flexibility to make use of Amazon S3 because the backend file system. “The vulnerability exists within the loginCheckHeaderAuth() technique of ServerSessionHTTP.java, which processes HTTP requests with S3-style authorization headers,” it stated.
Particularly, the problem has to do with a setting known as “lookup_user_pass” that is set to true by default when processing S3 authentication headers if the username does not include a tilde character (~).
This enables unauthenticated attackers to bypass authentication and achieve unauthorized entry, totally bypassing signature and password validation steps designed to make sure the request is genuine. A proof-of-concept (PoC) exploit has been launched for CVE-2025-2825, making it important that customers apply the newest repair.
“Exploiting this vulnerability is easy,” ProjectDiscovery stated. “An attacker solely must craft an HTTP request with: 1) An AWS S3-style authorization header with a sound username. 2) A CrushAuth cookie with matching c2f parameter values.”
(The story was up to date after publication to incorporate particulars of the CVE identifier and the PoC.)