CVE-2024-22245 & 22250: VMware Vulnerabilities Demand Immediate Action

VMware has released an urgent security advisory regarding two critical vulnerabilities within its now-deprecated Enhanced Authentication Plug-in (EAP). If left unaddressed, threat actors could exploit these flaws (CVE-2024-22245 and CVE-2024-22250) to hijack user sessions and infiltrate sensitive systems using advanced Windows domain attack techniques.

Why is this Serious?

• Exploitation Potential: These vulnerabilities allow attackers to steal and relay authentication credentials, potentially granting full control over administrative accounts within your VMware environment.
• Legacy Risk: Even though the EAP plugin was discontinued in 2021, it may persist on client systems, silently creating a major security loophole.
• Attacker’s Advantage: Exploitation of CVE-2024-22245 (CVSS 9.6) and CVE-2024-22250 (CVSS 7.8) is possible on both local machines and across the network, offering hackers multiple angles of entry.

“A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs),” VMware explains.

What You Must Do Immediately

VMware strongly emphasizes that these vulnerabilities can only be truly mitigated by uninstalling the affected components completely:

1. Uninstall the Plugin: Remove the in-browser plugin “VMware Enhanced Authentication Plug-in 6.7.0.”
2. Disable the Service: Permanently disable the supporting “VMware Plug-in Service.”
3. Use PowerShell: If full uninstall isn’t immediately feasible, use PowerShell commands to temporarily disable the service.

Don’t Become a Target

While these vulnerabilities are not yet exploited in the wild, their severity means a proactive response is crucial. Attackers frequently scan for known flaws in legacy components, making the quick removal of EAP a top priority.

Update: The technical details and proof-of-concept for these flaws have been published.