Broadcom has patched three actively exploited zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion, discovered by Microsoft’s Threat Intelligence Center. The flaws, which were being leveraged in real-world attacks at the time of discovery, could allow attackers with administrator or root access to a virtual machine to breach the underlying hypervisor, potentially exposing all connected VMs and sensitive data.
How do these vulnerabilities work?
If a threat actor gains administrative access to a virtual machine’s guest OS, they can escalate privileges and break into the hypervisor. Once inside, they could manipulate or access other virtual machines running on the same hypervisor, posing a significant security risk.
The three vulnerabilities are:
- CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation which can lead to an out-of-bounds write condition if an attacker already has admin privileges.
- CVE-2025-22225: An arbitrary write vulnerability in VMware ESXi.
- CVE-2025-22226: An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that could be used to leak memory.
To remediate the vulnerabilities, customers should apply the patches found in Broadcom’s notification. All versions of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform are affected, except those with the newest update.
SEE: Google Chrome’s switch to Manifest V3 continues to break ad blockers such as uBlock Origin.
Which products are affected?
The following products are affected by all three CVEs (via Rapid7):
- Broadcom VMware ESXi 7.0 and 8.0.
- Broadcom VMware Cloud Foundation 4.5.x and 5.x.
- Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x.
- Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x.
The following product is vulnerable to CVE-2025-22224 and CVE-2025-22226 specifically:
- Broadcom VMware Workstation 17.x.
The following product is vulnerable to CVE-2025-22226 specifically:
- Broadcom VMware Fusion 13.x.
VMware’s Live Patch feature will not apply the patches automatically in this case.
VMware Cloud Foundation Operations, Automation, Aria Suite, and VMware NSX are not affected.
Last year, VMware ESXi servers were hit by a double-extortion ransomware variant, with the threat actors impersonating a real organization.
