Broadcom issues urgent alert over three VMware zero-days
The firm says it has information to suggest all three are being exploited in the wild


Broadcom has published a critical security advisory disclosing three zero-day vulnerabilities affecting its VMware ESXi, Workstation, and Fusion products.
The three flaws range in severity, with the most serious being CVE-2025-22224, a critical time-of-check time-of-use (TOCTOU) vulnerability in VMware ESXi and Workstation rated 9.3 on the CVSS.
A blog from Rapid7 stated that the TOCTOU flaw could lead to an out-of-bounds write condition, meaning an attacker with local administrative privileges on a virtual machine (VM) could exploit the weakness to execute code as the VM’s VMX process running on the host.
Meanwhile, CVE-2025-22225, is a high severity arbitrary write vulnerability that affects ESXi too.
Given a CVSS base score of 8.2, the flaw could allow an attacker with privileges to trigger an arbitrary kernel write leading to an escape of the sandbox.
Broadcom also disclosed an information disclosure vulnerability, CVE-2025-22226, which affects VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in host guest file system (HGFS).
Broadcom warned that a malicious actor with admin privileges to a VM may be able to exploit the flaw to leak memory from the VMX process.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
All three of these flaws were first spotted by researchers at Microsoft’s Threat Intelligence Center, who reported the issue to Broadcom.
Broadcom’s advisory indicates that all three CVEs are already being targeted by attackers, noting that it “has information to suggest that exploitation has occurred in the wild”.
This looks to have been confirmed by CISA adding all three to its Known Exploited Vulnerabilities (KEV) list shortly after Broadcom published its advisory.
It added that based on the information included in the advisory, all three of these CVEs could be chained together in an attack.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Rapid7 noted that these are not remotely exploitable vulnerabilities, however, and would require the attacker having existing privileged access on a VM that is running on a vulnerable VMware hypervisor.
At the time of writing there is no known public exploit code for any of the CVEs, but Rapid7 warned that due to ESXi hypervisors being popular targets among both financially motivated and state-sponsored adversaries, it recommends applying the fixes pushed out by Broadcom “on an expedited basis”.
VMware ESXi 7.0 and 8.0; Cloud Foundation 4.5.x and 5.x; Telco Cloud Platform 5.x, 4.x, and 2.x; and Telco Cloud Infrastructure 3.x and 2.x are vulnerable to all three flaws.
Broadcom VMware Workstation 17.x is vulnerable to CVE-2025-22224 and CVE-2025-22226, whereas VMware Fusion 13.x is only vulnerable to the latter.
MORE FROM ITPRO
- A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records
- Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
- Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Hackers are targeting Ivanti VPN users again – here’s what you need to know
News Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
By Emma Woollacott
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz
-
Threat actors are exploiting a VMware ESXi bug which could be “catastrophic” for affected firms
News The VMware ESXi hypervisor has become a favorite target in the digital extortion community, according to researchers
By Solomon Klappholz
-
Everything you need to know about the VMware vCenter Server vulnerability
News A critical flaw in the VMware vCenter Server management software has been exploited in the wild by a Chinese hacking group since late 2021
By Solomon Klappholz