VMware Patches VM Escape Flaw Exploited at Geekpwn Event


The leader in virtualization technology, VMware, released emergency updates on Tuesday to address three security flaws in various software programs, including a virtual machine escape bug that was used in the GeekPwn 2022 hacking competition.

Yuhao Jiang, an Ant Security researcher, exploited the VM escape vulnerability, referred to as CVE-2022-31705, on systems running fully patched VMware Fusion, ESXi, and Workstation products. The exploit won first place at Geekpwn, a hacking competition held by Tencent Keen Security Lab in China.

Also Read: Strategies to Improve Enterprise-Wide Cybersecurity Vulnerability Management

A malicious actor with local administrative privileges on a virtual machine may use this issue to execute code as the virtual machine’s VMX process running on the host, according to a security bulletin released by VMware on Tuesday. This issue has a CVSS severity rating of 9.3/10, and VMWare has warned about this possibility.

Read More: VMware Patches VM Escape Flaw Exploited at Geekpwn Event