VMware Security Flaws Exploited in the Wild—Broadcom Releases Urgent Patches

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure.
The list of vulnerabilities is as follows -
- CVE-2025-22224 (CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with local administrative privileges on a virtual machine could exploit to execute code as the virtual machine's VMX process running on the host
- CVE-2025-22225 (CVSS score: 8.2) - An arbitrary write vulnerability that a malicious actor with privileges within the VMX process could exploit to result in a sandbox escape
- CVE-2025-22226 (CVSS score: 7.1) - An information disclosure vulnerability due to an out-of-bounds read in HGFS that a malicious actor with administrative privileges to a virtual machine could exploit to leak memory from the vmx process
The shortcomings impact the below versions -
- VMware ESXi 8.0 - Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300
- VMware ESXi 7.0 - Fixed in ESXi70U3s-24585291
- VMware Workstation 17.x - Fixed in 17.6.3
- VMware Fusion 13.x - Fixed in 13.6.3
- VMware Cloud Foundation 5.x - Async patch to ESXi80U3d-24585383
- VMware Cloud Foundation 4.x - Async patch to ESXi70U3s-24585291
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x - Fixed in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d
- VMware Telco Cloud Infrastructure 3.x, 2.x - Fixed in ESXi 7.0U3s
In a separate FAQ, Broadcom acknowledged that it has "information to suggest that exploitation of these issues has occurred 'in the wild,' but it did not elaborate on the nature of the attacks or the identity of the threat actors that have weaponized them.
The virtualization services provider credited the Microsoft Threat Intelligence Center for discovering and reporting the bugs. In light of active exploitation, it's essential that users apply the latest patches for optimal protection.
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the three zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.
"This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself," VMware added.
Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates
Cisco warns of Webex for BroadWorks flaw exposing credentials
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
MediumHTTP Parameter Override
MediumX-Frame-Options Defined via META (Non-compliant with Spec)
Medium.env Information Leak
InformationalInformation Disclosure - Sensitive Information in URL
InformationalUsername Hash Found in WebSocket message
InformationalLoosely Scoped Cookie
InformationalContent Security Policy (CSP) Report-Only Header Found
InformationalBase64 Disclosure
CWE-165 Improper Neutralization of Multiple Internal Special Elements
CWE-1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
CWE-826 Premature Release of Resource During Expected Lifetime
CWE-1118 Insufficient Documentation of Error Handling Techniques
CWE-542 DEPRECATED: Information Exposure Through Cleanup Log Files
Free online web security scanner