Product Releases
| Data Services Manager | 2.2.2 | 04/25 | Download | Release Notes |
| VMware Tools | 12.5.2 | 05/12 | Download | Release Notes |
| Automation | 8.18.1 P2 | 05/12 | Download | Release Notes |
| VMware Cloud Foundation | 5.2.1.2 | 04/30 | ||
VMware Security Advisories
VMSA-2025-0007 [MEDIUM] [CVSSv3: 6.1]
Products: VMware Tools
CVE(s)
- VMware Tools Insecure File Handling Vulnerability (CVE-2025-22247)
Description
An an insecure file handling vulnerability in VMware Tools was privately reported to VMware. Updates are available to remediate this vulnerability in the affected VMware products. VMware Tools contains an insecure file handling vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM. To remediate CVE-2025-22247 apply the patches listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ found below.
VMware would like to thank Sergey Bliznyuk of Positive Technologies for reporting this issue to us.
Response Matrix
| Version | CVE | Fixed Version | Workaround |
|---|---|---|---|
| 12.x.x 11.x.x (Windows) | CVE-2025-22247 | 12.5.2 [1] | None |
| 12.x.x 11.x.x (Linux) | CVE-2025-22247 | 12.5.2 [3] | None |
| 12.x.x 11.x.x (macOS) | CVE-2025-22247 | Unaffected | N/A |
[1] VMware Tools 12.4.7 which is part of VMware Tools 12.5.2, also addresses the issue for Windows 32-bit.
[2] A version of open-vm-tools that addresses CVE-2025-22247 will be distributed by Linux vendors.
[3] Fixed versions may differ based on the Linux distribution version and the distribution vendor.
VMSA-2025-0008 [HIGH] [CVSSv3: 8.2]
Products: Aria Automation
CVE(s)
- DOM based Cross-site scripting(XSS) vulnerability (CVE-2025-22249)
Description
A DOM based Cross-Site Scripting (XSS) vulnerability in VMware Aria Automation was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.
A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL. To remediate CVE-2025-22249, apply the patches listed in the ‚Fixed Version‘ column of the ‚Response Matrix‘ below.
VMware would like to thank Bartosz Reginiak for reporting this issue to us.
Response Matrix
| Version | CVE | Fixed Version | Workaround |
|---|---|---|---|
| Automation 8.18.x | CVE-2025-22247 | 8.18.1 patch 2 | None |
| VCF 5.x / 4.x | CVE-2025-22247 | KB394224 | None |
| Telco Cloud 5.x | CVE-2025-22247 | 8.18.1 patch 2 | N/A |
KB Article
| Subject | ID |
|---|---|
| virtual machines are unavailable on vSAN due to inaccessible objects error „vSAN Object Health“ | 397048 |
| VMware vSphere Security Configuration Guide for SOC2 Audit compliance | 396963 |
| Unable to SSH into Aria Suite Lifecycle Manager with root it says „Access Denied“ | 396950 |
| To deactivate shell access for non-root ESXi users in ESXi 8.0 | 396941 |
| NSX Edge HA not working as expected | 396916 |
| Unable to configure HCX adapter in Aria Operations | 396905 |
| Upgrade VMware Aria Operations for Logs: Upgrade Failed | 396856 |
| Unable to create a VM and deploy Windows Server 2025. | 396832 |
| How to check Release and Photon OS Version on Aria Operations | 396820 |
| vSphere license usage cannot display properly when vCenter Server’s CA certificate is missing on Aria Operations | 396789 |
| Unable to create vSAN disk group because some disks show as ineligible | 396697 |
| Log forwarding issue state idle in Aria Operations for Logs | 396685 |
| Virtual machine becomes unresponsive due to host memory exhaustion | 396565 |
| VMs unable to ping when on Distributed vSwitch (vDS) | 396559 |
| Esxi hosts show degraded in UI, but everything related shows as being „UP“. | 396427 |
| How to get the VM’s name as present in vCenter inventory within Guest OS | 396357 |
| ESXi host is inaccessible via its IPv6 address | 396356 |
| The ‚Deleted VMs‘ widget is not showing values in Aria Operations for Logs on the ‚Virtual Machine – Overview‘ dashboard | 396332 |
| vSAN Skyline Health Check „NVMe device is VMware Certified“ shows previously certified NVMe devices are „Uncertified“ | 396331 |
Virtual Events
Podcast | Webinar | Blog Posts
| Why is VCF the best platform to run VMs and Containers Part 2: Deep Dive VMUG | 05/13 Webinar |
|---|---|
| Kubernetes is everywhere these days. Organizations are using Kubernetes to build and run modern apps. VCF is a single platform for containers and VMs with built-in VMware vSphere Kubernetes Service (VKS), a CNCF-certified, upstream-conformant Kubernetes runtime, for organizations to run modern containerized applications alongside traditional VMs on the same infrastructure. Join this session to learn how VCF makes it easy to run modern and traditional workloads side by side and enables cloud admin teams and platform teams to collaborate so much better. | |
| The Modern VKS: Unlocking What’s Already Inside Your vSphere Kubernetes Service Architect’s Edge Live | 05/27 Webinar |
|---|---|
| You’ve already got the tools—now it’s time to unlock their full potential.Join VMware by Broadcom’s own Bryan Sullins for a lively, myth-busting session exploring the modern vSphere Kubernetes Service (VKS). We’ll unpack what’s changed, what’s possible, and how to take advantage of features you may not even know you have. Whether you’re a longtime vSphere admin or just Kubernetes-curious, you’ll walk away with a clearer understanding of how VKS fits into your environment—and why it’s more relevant than ever. No fluff. No steep learning curve. Just practical insights to help you activate what’s already there. If you think you know VKS… think again. It’s a new day for vSphere + Kubernetes—and it starts right here. | |