THREATOPS
THREAT OPSThreat News › On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025

lowsynacktiv

At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex interplay of techniques: defeating the LFH randomization using a side-channel; shaping and carefully preserving an exploi

Original source: https://www.synacktiv.com/en/publications/on-the-clock-escaping-vmware-workstation-at-pwn2own-berlin-2025.html