Broadcom has published a critical security advisory disclosing three zero-day vulnerabilities affecting its VMware ESXi, Workstation, and Fusion products.
The three flaws range in severity, with the most serious being CVE-2025-22224, a critical time-of-check time-of-use (TOCTOU) vulnerability in VMware ESXi and Workstation rated 9.3 on the CVSS.
A blog from Rapid7 stated that the TOCTOU flaw could lead to an out-of-bounds write condition, meaning an attacker with local administrative privileges on a virtual machine (VM) could exploit the weakness to execute code as the VM’s VMX process running on the host.
Meanwhile, CVE-2025-22225, is a high severity arbitrary write vulnerability that affects ESXi too.
Given a CVSS base score of 8.2, the flaw could allow an attacker with privileges to trigger an arbitrary kernel write leading to an escape of the sandbox.
Broadcom also disclosed an information disclosure vulnerability, CVE-2025-22226, which affects VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in host guest file system (HGFS).
Broadcom warned that a malicious actor with admin privileges to a VM may be able to exploit the flaw to leak memory from the VMX process.
All three of these flaws were first spotted by researchers at Microsoft’s Threat Intelligence Center, who reported the issue to Broadcom.
Broadcom’s advisory indicates that all three CVEs are already being targeted by attackers, noting that it “has information to suggest that exploitation has occurred in the wild”.
This looks to have been confirmed by CISA adding all three to its Known Exploited Vulnerabilities (KEV) list shortly after Broadcom published its advisory.
It added that based on the information included in the advisory, all three of these CVEs could be chained together in an attack.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Rapid7 noted that these are not remotely exploitable vulnerabilities, however, and would require the attacker having existing privileged access on a VM that is running on a vulnerable VMware hypervisor.
At the time of writing there is no known public exploit code for any of the CVEs, but Rapid7 warned that due to ESXi hypervisors being popular targets among both financially motivated and state-sponsored adversaries, it recommends applying the fixes pushed out by Broadcom “on an expedited basis”.
VMware ESXi 7.0 and 8.0; Cloud Foundation 4.5.x and 5.x; Telco Cloud Platform 5.x, 4.x, and 2.x; and Telco Cloud Infrastructure 3.x and 2.x are vulnerable to all three flaws.
Broadcom VMware Workstation 17.x is vulnerable to CVE-2025-22224 and CVE-2025-22226, whereas VMware Fusion 13.x is only vulnerable to the latter.
MORE FROM ITPRO
