CVE-2025-22226 - VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

VMware | ESXi, Workstation, and Fusion

• Date Added:
• 2025-03-04

• Due Date:
• 2025-03-25

Vulnerability Name

VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390 ; https://nvd.nist.gov/vuln/detail/CVE-2025-22226

Latest Security News

Rubrik rotates authentication keys after log server breach

DHS says CISA will not stop monitoring Russian cyber threats

New Microsoft 365 outage impacts Teams, causes call failures

CISA tags Windows, Cisco vulnerabilities as actively exploited

New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint

UK watchdog probes TikTok and Reddit over child privacy concerns

Microsoft links recent Microsoft 365 outage to buggy update

U.K. ICO Investigates TikTok, Reddit, and Imgur Over Children's Data Protection Practices

Common Alerts

InformationalAuthentication Request Identified

InformationalCharset Mismatch

HighPath Traversal

InformationalLoosely Scoped Cookie

LowServer Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

InformationalInformation Disclosure - Sensitive Information in URL

MediumAnti-CSRF Tokens Check

LowInsufficient Site Isolation Against Spectre Vulnerability

HighXPath Injection

MediumSub Resource Integrity Attribute Missing

Latest CVE List

CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability

CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability

CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability

CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability

CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability

CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability

CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability

CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability

CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability

Top CWE List

HighCWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-693 Protection Mechanism Failure

HighCWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-1426 Improper Validation of Generative AI Output

CWE-581 Object Model Violation: Just One of Equals and Hashcode Defined

CWE-1298 Hardware Logic Contains Race Conditions

CWE-201 Insertion of Sensitive Information Into Sent Data

CWE-1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

CWE-1125 Excessive Attack Surface

CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)