CVE-2024-22245: VMware Flaw “EAP” Puts Windows Users’ Data at Risk

VMware has recently discovered a serious security vulnerability CVE-2024-22245 and is advising users to immediately uninstall the outdated version of the Enhanced Authentication Plugin (EAP).

About CVE-2024-22245

The security vulnerability, CVE-2024-22245 has a CVSS score of 9.6 (extremely risky), and is identified as an arbitrary authentication relay issue. Hackers can use this vulnerability to exploit EAP, potentially stealing data from compromised systems and downloading malware.

According to the company’s adversary, hackers might deceive a user who has “EAP” installed in their web browser, potentially tricking them to send and request special access tokens (called “service tickets”) for “Active Directory” Service Principal Names (SPNs).

CVE-2024-22245: VMware Flaw "EAP" Puts Windows Users' Data at Risk

Why CVE-2024-22245 Is Critical:

  • Scored 9.6 on the CVSS severity scale, which is extremely risky.
  • Hackers can easily exploit this vulnerability to gain unauthorized access.
  • VMware refused to fix the flaw, advising users to uninstall EAP immediately.

VMware Enhanced Authentication Plug-in 6.7.0

EAP is a software package that was discontinued in March 2021. Enhanced Authentication Plugin was intended to enable web browser-based direct access to vSphere’s administrative interfaces and tools. Furthermore, it’s not part of Cloud Foundation, ESXi, or vCenter Server, and it’s not included by default.

Additionally, a session hijack vulnerability named CVE-2024-22250 with CVSS score: 7.8 was detected in the same program. Hackers could use this vulnerability to gain unauthorized access and control privileged EAP sessions in the Windows system.

The twin vulnerabilities were reportedly found and reported by Pen Test Partners’ Ceri Coburn.

Vulnaribility Description

Vulnerability CVE-2024-22245
CVSS Score 9.6 (extremely risky)
Vulnerability Type Arbitrary Authentication Relay Issue
Potential Risks Exploiting this vulnerability, attackers can:

  • Steal sensitive information.
  • Disrupt or disable services.
  • Install malware.
Possible Solution Uninstall EAP and Restore browser settings.

How CVE-2024-22245 Vulnaribiilty Works:

EAP facilitates secure logins by establishing a connection between the user and server enabling web browsers to send an authentication request vSphere. Hackers can create a website or email containing malicious links. Clicking the link triggers EAP in the user’s browser, misleading the request to a server controlled by hackers instead of the vSphere server.

It is important to note that this issue only affects users who have enabled EAP on Microsoft Windows computers in order to connect to VMware vSphere using the vSphere Client.

The company, owned by Broadcom, stated that the vulnerabilities would not be fixed and advised users to uninstall the plugin completely in order to lessen any possible risks. Additionally, the company also mentioned that the uninstalling feature provided by the client operating system can be used to remove the EAP from client systems.

Security researcher Stefan Schiller stated that by tricking an administrator into clicking on a malicious link, hackers can exploit this vulnerability to execute code remotely.

What Users Should Do:

  • Uninstall the Enhanced Authentication Plugin.
  • Update your “VMware vSphere” software.
  • Keep your software updated regularly, like patching a leaky roof to prevent further damage.


VMware Enhanced Authentication Plugin (EAP) issue is a critical threat to users’ privacy and system security. 9.6 CVSS is seriously alarming. This Arbitrary authentication relay issue can cause session hijacking and puts active directory at risk. However, the specific technical details regarding the vulnerability is not been released as of now. Meanwhile, users should not waste another second and uninstall the outdated VMware Enhanced Authentication Plugin (EAP) in order to avoid exploitation of CVE-2024-22245 Security vulnerability.

About the author


Leave a Comment