Critical Zero-day Vulnerabilities in VMware ESXi, Workstation, and Fusion

Broadcom has addressed three exploited vulnerabilities that, when chained, can allow an attacker to access the hypervisor through a running virtual machine

Threat ID:: CC-4627
Threat Severity:: High
Published:: 4 March 2025 4:11 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Broadcom has addressed three exploited vulnerabilities that, when chained, can allow an attacker to access the hypervisor through a running virtual machine

Affected platforms

The following platforms are known to be affected:

VMware ESXi

Version 7.0
Version 8.0

VMware Workstation and Fusion

VMware Workstation:

all prior to 17.6.3

VMware Fusion:

all prior to 13.6.3

VMware Cloud Foundation

Version 4.5.x
Version 5.x

VMware Telco Cloud

Telco Cloud Platform:

Version 2.x
Version 3.x
Version 4.x
Version 5.x

Telco Cloud Infrastructure:

Version 2.x
Version 3.x

VMware vSphere ESXi

Version 6.5
Version 6.7

Note: VMware's official FAQ states
"A patch has been released for ESX 6.7 and is available via the Support Portal to all customers. ESX 6.5 customers should use the extended support process for access to ESX 6.5 patches."

Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.

Threat details

All VMware ESX products affected

VMware's official advisory does not include all affected product versions. VMware's official advisory VMSA-2025-0004 includes a Response Matrix detailing the fixed releases for each product.

VMware have also released an FAQ detailing the following:

You are affected if you are running any version of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform prior to the versions listed as “fixed” in the VMSA.
If there is any uncertainty about whether a system is affected, it should be presumed vulnerable, and immediate action should be taken.
To ensure full protection for yourself and your organisation, install one of the update versions listed in the VMware Security Advisory.

Note: Products that are past their End of General Support dates are not evaluated as part of security advisories, and are not listed in the official VMSA.

Exploitation of CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226

Broadcom has stated exploitation of CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 has been observed in the wild.

VMware applications have become a popular target for ransomware and data-extortion groups, and rapidly patching vulnerable software should be considered of critical importance.

The NHS England National Cyber Security Operations Centre assesses further exploitation as highly likely.

Introduction

Broadcom has released a critical security advisory addressing three vulnerabilities affecting VMware ESXi, Workstation, and Fusion, which are software hypervisor solutions.

Broadcom has stated the three vulnerabilities have been observed exploited in the wild.

Vulnerability Details

CVE-2025-22224 is a 'heap-overflow' vulnerability affecting ESXI and Workstation, and has a CVSSv3 score of 9.3. If exploited, an attacker with local administrative privileges on a virtual machine (VM) could execute arbitrary code (ACE) as the VM's Virtual Machine Extension (VMX) process running on the host.
CVE-2025-22225 is an 'arbitrary write' vulnerability affecting ESXi and has a CVSSv3 score of 8.2. If exploited, an attacker with privileges within the VMX process may trigger an arbitrary kernel write, leading to an escape of the sandbox.
CVE-2025-22226 is an 'information disclosure' vulnerability affecting ESXi, Workstation, and Fusion, and has a CVSSv3 score of 7.1. If exploited, an attacker with administrative privileges on the VM may be able to leak memory from the VMX process.

Threat updates

Date	Update
6 Mar 2025	Update to affected platforms to include VMware VSphere ESXi versions 6.5 and 6.7. Blue Box 'All VMware ESX products affected' added.

Remediation advice

Affected organisations must review Broadcom advisory VMSA-2025-0004 and VMSA-2025-0004: Questions & Answers and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-22224

VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Status Published

CVE-2025-22225

VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

Status Published

CVE-2025-22226

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

Last edited: 6 March 2025 3:33 pm