Home > Blogs > VMware Workstation Zealot

VMware Workstation target at the PwnFest hacking competition

VMware Workstation is among the targets of the PwnFest hacking competition. At this event, which is organized along the Power of Community security conference in Seoul, security researchers are demonstrating their attack capabilities. The event is modeled after the well-known Pwn2Own competition.

Earlier today at the event, the 360 Marvel Team and security researcher Lokihardt (JungHoon Lee) used the same issue to demonstrate that they could execute code on the VMware Workstation host from the guest. We have received details on this issue directly from the researchers and we are now working on a solution. We have confirmed that the issue is limited to VMware Workstation and VMware Fusion and that ESXi is not affected.

We would like to thank the organizers of the event, the 360 Marvel Team, and Lokihardt for working with us to address the issue.

November 13 update
Today, we’ve published VMware Security Advisory VMSA-2016-0019 which documents the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2. These new Workstation and Fusion versions address the issue that was demonstrated at the PwnFest event. The issue has been assigned CVE identifier CVE-2016-7461.

– VMware Security Response Center and VMware Workstation Team



VMware Workstation target at the PwnFest hacking competition

VMware Workstation is among the targets of the PwnFest hacking competition. At this event, which is organized along the Power of Community security conference in Seoul, security researchers are demonstrating their attack capabilities. The event is modeled after the well-known Pwn2Own competition.

Earlier today at the event, the 360 Marvel Team and security researcher Lokihardt (JungHoon Lee) used the same issue to demonstrate that they could execute code on the VMware Workstation host from the guest. We have received details on this issue directly from the researchers and we are now working on a solution. We have confirmed that the issue is limited to VMware Workstation and VMware Fusion and that ESXi is not affected.

We would like to thank the organizers of the event, the 360 Marvel Team, and Lokihardt for working with us to address the issue.

November 13 update
Today, we’ve published VMware Security Advisory VMSA-2016-0019 which documents the release of VMware Workstation 12.5.2 and VMware Fusion 8.5.2. These new Workstation and Fusion versions address the issue that was demonstrated at the PwnFest event. The issue has been assigned CVE identifier CVE-2016-7461.

– VMware Security Response Center and VMware Workstation Team

3 thoughts on “VMware Workstation target at the PwnFest hacking competition

  1. vikrant

    Thanks for sharing this useful information with us . Can you please share the details of this issue like what will be the impact on VMware Workstation and VMware Fusion ? and what is best possible solution for this issue ?

    1. Michael Roy

      The issue is resolved in Workstation 12.5.2. The likelihood of this exploit being used in the wild is pretty minimal, but if you have the latest version (which we just released today) you are not impacted at all.

  2. vikrant

    Hi Michael ,
    Thanks for your instant reply . I was little bit concern about this issue and you have cleared my all the doubts on this issue and thank god this issue has been resolved in Workstation 12.5.2.

Comments are closed.