Multiple Zero-Day Vulnerabilities in Broadcom VMware ESXi and Other Products

 Critical Zero-Day Alert: Broadcom Discloses 3 VMware Vulnerabilities with Active Exploits in the Wild


On Tuesday, March 4, 2025, Broadcom dropped a high-impact security advisory (VMSA-2025-0004) detailing three newly discovered zero-day vulnerabilities affecting several VMware products—ESXi, Workstation, and Fusion. The most severe, CVE-2025-22224, is a critical flaw in ESXi and Workstation that could allow attackers to break out of virtual machines and execute code on the host.

These aren’t remote exploits—they require local administrative access inside a guest virtual machine, but the risk is still significant. In real-world scenarios, a compromised VM could become a launchpad for deeper attacks into the hypervisor layer.


Breakdown of the Vulnerabilities:

🔴 CVE-2025-22224 (CVSS 9.3)

A Time-of-Check Time-of-Use (TOCTOU) flaw in ESXi and Workstation. It can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine's VMX process running on the host.

🟠 CVE-2025-22225 (CVSS 8.2)

A serious arbitrary kernel write issue in ESXi. With access to the VMX process, attackers can write to kernel memory and break out of the virtual environment.

🟡 CVE-2025-22226 (CVSS 7.1)

A vulnerability in VMware ESXi, Workstation, and Fusion allows an attacker with admin access to a virtual machine to exploit an out-of-bounds read in the Host Guest File System (HGFS), potentially leaking memory from the VMX process.

These flaws were responsibly reported by the Microsoft Threat Intelligence Center, and Broadcom confirmed that active exploitation is already taking place. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all three CVEs to its Known Exploited Vulnerabilities (KEV) catalog.

Broadcom notes that the vulnerabilities can be chained, allowing an attacker with control over a guest VM to escalate privileges and move into the hypervisor itself—a nightmare scenario for virtualized environments.

🔐 No Public Exploits Yet — But Don’t Wait

Although exploit code hasn't surfaced publicly, the potential impact is high. Given the popularity of ESXi among both enterprise environments and adversaries (especially ransomware groups), organizations are strongly urged to apply available patches immediately.

🧩 Affected Products

Vulnerable to CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226:

  • VMware ESXi 7.0 and 8.0

  • VMware Fusion 13.x

  • Vulnerable to CVE-2025-22226 only:

  • VMware Workstation 17.x

  • Vulnerable to CVE-2025-22224 and CVE-2025-22226:

  • VMware Telco Cloud Infrastructure 2.x and 3.x

  • VMware Telco Cloud Platform (2.x to 5.x)

  • VMware Cloud Foundation 4.5.x and 5.x


🚨 Heads up, VMware users! 🚨

Now you can quickly assess your exposure and stay one step ahead of potential threats before they become a real headache with InsightVM and Nexpose 💻🔍

Time to hit that scan button! 😉





REFERENCE: https://www.rapid7.com/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/

Comments

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware