Broadcom has published a critical security advisory disclosing three zero-day vulnerabilities affecting its VMware ESXi, Workstation, and Fusion products.
The three flaws range in severity, with the most serious being CVE-2025-22224, a critical time-of-check time-of-use (TOCTOU) vulnerability in VMware ESXi and Workstation rated 9.3 on the CVSS.
A blog from Rapid7 stated that the TOCTOU flaw could lead to an out-of-bounds write condition, meaning an attacker with local administrative privileges on a virtual machine (VM) could exploit the weakness to execute code as the VM’s VMX process running on the host.
Meanwhile, CVE-2025-22225, is a high severity arbitrary write vulnerability that affects ESXi too.
Given a CVSS base score of 8.2, the flaw could allow an attacker with privileges to trigger an arbitrary kernel write leading to an escape of the sandbox.
Broadcom also disclosed an information disclosure vulnerability, CVE-2025-22226, which affects VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in host guest file system (HGFS).
Broadcom warned that a malicious actor with admin privileges to a VM may be able to exploit the flaw to leak memory from the VMX process.
All three of these flaws were first spotted by researchers at Microsoft’s Threat Intelligence Center, who reported the issue to Broadcom.
Broadcom’s advisory indicates that all three CVEs are already being targeted by attackers, noting that it “has information to suggest that exploitation has occurred in the wild”.
This looks to have been confirmed by CISA adding all three to its Known Exploited Vulnerabilities (KEV) list shortly after Broadcom published its advisory.
It added that based on the information included in the advisory, all three of these CVEs could be chained together in an attack.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Rapid7 noted that these are not remotely exploitable vulnerabilities, however, and would require the attacker having existing privileged access on a VM that is running on a vulnerable VMware hypervisor.
At the time of writing there is no known public exploit code for any of the CVEs, but Rapid7 warned that due to ESXi hypervisors being popular targets among both financially motivated and state-sponsored adversaries, it recommends applying the fixes pushed out by Broadcom “on an expedited basis”.
VMware ESXi 7.0 and 8.0; Cloud Foundation 4.5.x and 5.x; Telco Cloud Platform 5.x, 4.x, and 2.x; and Telco Cloud Infrastructure 3.x and 2.x are vulnerable to all three flaws.
Broadcom VMware Workstation 17.x is vulnerable to CVE-2025-22224 and CVE-2025-22226, whereas VMware Fusion 13.x is only vulnerable to the latter.
MORE FROM ITPRO
- A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records
- Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
- Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firmsNews The VMware ESXi hypervisor has become a favorite target in the digital extortion community, according to researchers
-
Everything you need to know about the VMware vCenter Server vulnerabilityNews A critical flaw in the VMware vCenter Server management software has been exploited in the wild by a Chinese hacking group since late 2021
