Critical Zero-Day Vulnerabilities Found in These VMware Products
Cybersecurity
TEILEN
Facebook X Pinterest WhatsApp

Critical Zero-Day Vulnerabilities Found in These VMware Products

A year after VMware ESXi servers faced ransomware attacks, new zero-day vulnerabilities are being exploited, posing risks to organizations worldwide.

Verfasst von
Megan Crouse
Megan Crouse
Mar 6, 2025

Broadcom has patched three actively exploited zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion, discovered by Microsoft’s Threat Intelligence Center. The flaws, which were being leveraged in real-world attacks at the time of discovery, could allow attackers with administrator or root access to a virtual machine to breach the underlying hypervisor, potentially exposing all connected VMs and sensitive data.

How do these vulnerabilities work?

If a threat actor gains administrative access to a virtual machine’s guest OS, they can escalate privileges and break into the hypervisor. Once inside, they could manipulate or access other virtual machines running on the same hypervisor, posing a significant security risk.

The three vulnerabilities are:

  • CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation which can lead to an out-of-bounds write condition if an attacker already has admin privileges.
  • CVE-2025-22225: An arbitrary write vulnerability in VMware ESXi.
  • CVE-2025-22226: An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that could be used to leak memory.

To remediate the vulnerabilities, customers should apply the patches found in Broadcom’s notification. All versions of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform are affected, except those with the newest update.

SEE: Google Chrome’s switch to Manifest V3 continues to break ad blockers such as uBlock Origin.

Must-read security coverage

Which products are affected?

The following products are affected by all three CVEs (via Rapid7):

  • Broadcom VMware ESXi 7.0 and 8.0.
  • Broadcom VMware Cloud Foundation 4.5.x and 5.x.
  • Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x.
  • Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x.

The following product is vulnerable to CVE-2025-22224 and CVE-2025-22226 specifically:

  • Broadcom VMware Workstation 17.x.

The following product is vulnerable to CVE-2025-22226 specifically:

  • Broadcom VMware Fusion 13.x.

VMware’s Live Patch feature will not apply the patches automatically in this case.

VMware Cloud Foundation Operations, Automation, Aria Suite, and VMware NSX are not affected.

Last year, VMware ESXi servers were hit by a double-extortion ransomware variant, with the threat actors impersonating a real organization.

Megan Crouse

Megan Crouse has a decade of experience in business-to-business news and feature writing, including as first a writer and then the editor of Manufacturing.net. Her news and feature stories have appeared in Military & Aerospace Electronics, Fierce Wireless, TechRepublic, and eWeek. She copyedited cybersecurity news and features at Security Intelligence. She holds a degree in English Literature and minored in Creative Writing at Fairleigh Dickinson University.