An XML External Entity (XXE) vulnerability in VMware Tools for Windows was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
Known Attack Vectors
A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.
To remediate CVE-2022-22977 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
VMware would like to thank ycdxsb of VARAS@IIE, Jake Baines of Rapid7 and Sascha Meyer of GAI NetConsult GmbH for reporting this issue to us.
Fixed Version(s) and Release Notes:
VMware Tools for Windows 12.0.5
Downloads and Documentation:
Mitre CVE Dictionary Links:
FIRST CVSSv3 Calculator:
Initial security advisory.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2022 VMware Inc. All rights reserved.