CVE-2019-5512 in Workstation Player
Summary
by MITRE
VMware Workstation (15.x before 15.0.3, 14.x before 14.1.6) running on Windows does not handle COM classes appropriately. Successful exploitation of this issue may allow hijacking of COM classes used by the VMX process, on a Windows host, leading to elevation of privilege.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/26/2025
This vulnerability resides in VMware Workstation's improper handling of Component Object Model classes on Windows operating systems. The flaw affects versions 15.x before 15.0.3 and 14.x before 14.1.6, creating a critical security gap that enables attackers to manipulate COM class registration and usage within the virtualization environment. The vulnerability specifically impacts the VMX process which is responsible for managing virtual machine operations, making it a prime target for privilege escalation attacks.
The technical implementation of this vulnerability stems from insufficient validation and handling of COM class registration within the VMware Workstation runtime environment. When the VMX process executes on Windows hosts, it relies on proper COM class management to facilitate communication between virtual and physical components. However, the flawed implementation allows malicious actors to register custom COM objects that can intercept or replace legitimate system components, effectively hijacking the execution flow of the VMX process. This improper COM class handling creates a pathway for attackers to execute arbitrary code with elevated privileges, as the hijacked COM classes can be leveraged to gain system-level access.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating potential for complete system compromise when exploited in conjunction with other attack vectors. Attackers can leverage this weakness to execute malicious code within the context of the VMX process, potentially gaining access to sensitive system resources and data stored within virtual machines. The vulnerability's presence in VMware Workstation's Windows implementation means that any user with access to the system can potentially exploit this weakness, making it particularly dangerous in multi-user environments. The privilege escalation occurs because COM class hijacking allows attackers to execute code with the same privileges as the VMX process, which typically runs with elevated permissions.
This vulnerability maps directly to CWE-427 Uncontrolled Search Path Element and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, as it involves improper handling of system component registration and execution paths. From an ATT&CK framework perspective, this vulnerability aligns with T1068 Exploitation for Privilege Escalation and T1546 Event Triggered Execution, as it enables attackers to escalate privileges through system component manipulation. The attack chain typically involves registering malicious COM classes that are then loaded by the VMX process, allowing for code execution with elevated privileges. Organizations should implement immediate mitigation strategies including patching to versions 15.0.3 and 14.1.6, implementing strict access controls on VMware Workstation installations, and monitoring for suspicious COM class registrations. Additionally, network segmentation and privilege separation measures should be enforced to limit the potential impact of successful exploitation.