Preface: You cannot connect to a virtual machine’s CD/DVD-ROM device with the Administrator role. By default setting, the Administrator role does not have permission to access a virtual machine’s CD/DVD-ROM device.

Background: Most of the files stored on a VMFS volume, though, are large files – virtual disk files, swap files, installation image files. VMFS operates on disks attached to ESXi servers but not on computers running VMware Workstation or VMware Player.VMFS 6 was released in vSphere 6.5 and is used in vSphere 6.7, vSphere 7.0, and newer versions such as vSphere 7.0 Update 3.

Vulnerability details: VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

VMware released security advisory for ESXi hosts. Remedy for ESXi 6.5 and 6.7 are ready. However, 7.0 there only provides workaround. For more details, please refer to the link – https://kb.vmware.com/s/article/87249

Official announcement: https://www.vmware.com/security/advisories/VMSA-2022-0001.html

Additional: Because the supplier wants to keep it confidential. So the details have not been announced yet. My observations of this vulnerability are drawn in the attached drawings.