Broadcom issues urgent alert over three VMware zero-days
The firm says it has information to suggest all three are being exploited in the wild


Broadcom has published a critical security advisory disclosing three zero-day vulnerabilities affecting its VMware ESXi, Workstation, and Fusion products.
The three flaws range in severity, with the most serious being CVE-2025-22224, a critical time-of-check time-of-use (TOCTOU) vulnerability in VMware ESXi and Workstation rated 9.3 on the CVSS.
A blog from Rapid7 stated that the TOCTOU flaw could lead to an out-of-bounds write condition, meaning an attacker with local administrative privileges on a virtual machine (VM) could exploit the weakness to execute code as the VM’s VMX process running on the host.
Meanwhile, CVE-2025-22225, is a high severity arbitrary write vulnerability that affects ESXi too.
Given a CVSS base score of 8.2, the flaw could allow an attacker with privileges to trigger an arbitrary kernel write leading to an escape of the sandbox.
Broadcom also disclosed an information disclosure vulnerability, CVE-2025-22226, which affects VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in host guest file system (HGFS).
Broadcom warned that a malicious actor with admin privileges to a VM may be able to exploit the flaw to leak memory from the VMX process.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
All three of these flaws were first spotted by researchers at Microsoft’s Threat Intelligence Center, who reported the issue to Broadcom.
Broadcom’s advisory indicates that all three CVEs are already being targeted by attackers, noting that it “has information to suggest that exploitation has occurred in the wild”.
This looks to have been confirmed by CISA adding all three to its Known Exploited Vulnerabilities (KEV) list shortly after Broadcom published its advisory.
It added that based on the information included in the advisory, all three of these CVEs could be chained together in an attack.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Rapid7 noted that these are not remotely exploitable vulnerabilities, however, and would require the attacker having existing privileged access on a VM that is running on a vulnerable VMware hypervisor.
At the time of writing there is no known public exploit code for any of the CVEs, but Rapid7 warned that due to ESXi hypervisors being popular targets among both financially motivated and state-sponsored adversaries, it recommends applying the fixes pushed out by Broadcom “on an expedited basis”.
VMware ESXi 7.0 and 8.0; Cloud Foundation 4.5.x and 5.x; Telco Cloud Platform 5.x, 4.x, and 2.x; and Telco Cloud Infrastructure 3.x and 2.x are vulnerable to all three flaws.
Broadcom VMware Workstation 17.x is vulnerable to CVE-2025-22224 and CVE-2025-22226, whereas VMware Fusion 13.x is only vulnerable to the latter.
MORE FROM ITPRO
- A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records
- Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
- Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
Solomon Klappholz is a former Staff Writer at ITPro adn ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.
-
"I LOVE this company!" Looking back on 50 years of tech giant Microsoft
Opinion There have been highs, lows, laughs and lots of success in the past 5 decades for the Redmond-headquartered firm
By Maggie Holland Published
-
Verizon Call Filter API flaw could’ve exposed millions of Americans’ call records
News A security flaw in Verizon's Call Filter app could’ve allowed threat actors to access details of incoming calls for another user, a security researcher has found.
By Ross Kelly Published
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott Published
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz Published
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz Published
-
Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firms
News The VMware ESXi hypervisor has become a favorite target in the digital extortion community, according to researchers
By Solomon Klappholz Published
-
Everything you need to know about the VMware vCenter Server vulnerability
News A critical flaw in the VMware vCenter Server management software has been exploited in the wild by a Chinese hacking group since late 2021
By Solomon Klappholz Published
-
A journey to cyber resilience
whitepaper DORA: Ushering in a new era of cyber security
By ITPro Published