Saturday, May 24, 2025
HomeCVE/vulnerabilityVmware Workstation & Fusion Flaws Let Attackers Execute Arbitrary Code

Vmware Workstation & Fusion Flaws Let Attackers Execute Arbitrary Code

Published on

SIEM as a Service

Follow Us on Google News

Multiple security flaws affecting VMware Workstation and Fusion have been addressed by upgrades published by VMware.

If these vulnerabilities are successfully exploited, attackers may be able to obtain privileged data from the device, execute arbitrary code, and cause a denial of service.

VMware issued patches and workarounds to address these vulnerabilities tracked as (CVE-2024-22267, CVE-2024-22268, CVE-2024-22269, CVE-2024-22270).

- Advertisement - Google News

An Overview Of Each Of The Flaws

VMware Workstation And Fusion Vulnerability (CVE-2024-22267) 

The vbluetooth device in VMware Workstation and Fusion has a use-after-free vulnerability.

VMware determined that this problem has a maximum CVSSv3 base score of 9.3, placing it in the Critical severity range.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

“A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host”, the Broadcom-owned virtualization services provider said.

Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG, in collaboration with the Pwn2Own 2024 Security Contest, reported the issue. 

VMware Workstation And Fusion Shader Heap Buffer-Overflow Vulnerability (CVE-2024-22268) 

A heap buffer-overflow vulnerability exists in the Shader functionality of VMware Workstation and Fusion.

VMware determined that this problem has a maximum CVSSv3 base score of 7.1, placing it in the Important severity level.

This vulnerability might allow a malicious actor with non-administrative access to a virtual machine that has 3D graphics enabled to cause a denial of service condition.

Pwn2car disclosed this bug along with the Trend Micro Zero Day Initiative.

VMware Workstation And Fusion Vbluetooth Information Disclosure Vulnerability (CVE-2024-22269) 

The vbluetooth device in VMware Workstation and Fusion has an information leak vulnerability.

VMware determined that this issue has a maximum CVSSv3 base score of 7.1, placing it in the Important severity level.

A hostile actor may be able to read privileged data from a virtual machine’s hypervisor memory if they have local administrative privileges on the virtual machine.

STAR Labs SG disclosed this bug in collaboration with the Pwn2Own 2024 Security Contest.

VMware Workstation And Fusion HGFS Information Disclosure Vulnerability (CVE-2024-22270) 

The Host Guest File Sharing (HGFS) feature of VMware Workstation and Fusion contains a vulnerability related to information exposure.

VMware determined that this issue has a maximum CVSSv3 base score of 7.1, placing it in the Important severity level.

A malicious actor may be able to read privileged data from a virtual machine’s hypervisor memory if they have local administrative privileges on the virtual machine.

This vulnerability was discovered by Gwangun Jung (@pr0ln) and Junoh Lee (@bbbig12) of Theori (@theori_io), who took part in the Pwn2Own 2024 Security Contest.

Fixes Available

The vulnerability impacts Workstation versions 17.x and Fusion versions 13.x with fixes available in version 17.5.2 and 13.5.2 respectively.

Users of the impacted VMware products are advised to install the patch as soon as they can.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...