"An Authentication Bypass vulnerability in VMware Tools was responsibly reported to VMware. Updates are available to remediate this vulnerability in the affected VMware products"


VMware has recently reported an Authentication Bypass vulnerability on VMware Tools


"A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine."


The severity was confirmed as Low 

Find in the following step by step guide how to apply the VMware Tools upgrade patch to our SynetoOS VM in order to mitigate the vulnerability 

Updating VMware tools to a fixed version


Choose the deploy method base os your network status.
If your server is expose to the internet, you can follow the online mode.

On the contrary if the server is isolated follow the offline mode deploy instructions 


Deploy ONLINE mode

Step 1: Access ESXCLi through SSH

Step 2: Download and deploy the upgrade

  • Change directory to your datastore deployment folder

cd /vmfs/volumes/datastore1/deployment
  • Modify firewall rules to be able to download the upgrade bundle
esxcli network firewall ruleset set -e true -r httpClient
  • Download VMware-Tools-12.2.5
wget -O esx-vmtools-update.zip https://storage.googleapis.com/syneto_public_files/downloads/VMWare/VMware-Tools-12.2.5-core-offline-depot-ESXi-all-21855600.zip --no-check-certificate
  • Deploy the update
esxcli software vib install -f -d /vmfs/volumes/datastore1/deployment/esx-vmtools-update.zip

Output should be similar to:
Installation Result
   Message: Operation finished successfully.
   Reboot Required: false
   VIBs Installed: VMware_locker_tools-light_12.2.5.21855600-21858631
   VIBs Removed: VMware_locker_tools-light_12.1.5.20735119-21422485
   VIBs Skipped:



Deploy OFFLINE mode


Before starting the process, download locally :
https://storage.googleapis.com/syneto_public_files/downloads/VMWare/VMware-Tools-12.2.5-core-offline-depot-ESXi-all-21855600.zip


Step 1: Connect to ESXI GUI

Step 2: Open Datastore Browser

  • Go to Storage panel and from Datastores tab open Datastore Browser option

Step 3: Upload the VMware Tools file

  •  Navigate in datastore1 directory and select deployment folder 
  • Upload the VMware Tools file in deployment

Step 4: Access ESXCLi through SSH

Step 5: Deploy the upgrade

  • Change directory to your datastore deployment folder

cd /vmfs/volumes/datastore1/deployment
  • Modify firewall rules to be able to download the upgrade bundle
esxcli network firewall ruleset set -e true -r httpClient


  • Deploy the update
esxcli software vib install -f -d /vmfs/volumes/datastore1/deployment/VMware-Tools-12.2.5-core-offline-depot-ESXi-all-21855600.zip

Output should be similar to:
Installation Result
   Message: Operation finished successfully.
   Reboot Required: false
   VIBs Installed: VMware_locker_tools-light_12.2.5.21855600-21858631
   VIBs Removed: VMware_locker_tools-light_12.1.5.20735119-21422485
   VIBs Skipped:



VMware resources:

Vulnerability report