On March 4, 2025, Broadcom issued a critical security advisory addressing three zero-day vulnerabilities in VMware products that were actively exploited in the wild. These high-risk vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, affect VMware ESXi, Workstation, and Fusion, posing serious threats to virtualized environments globally.
Understanding the Vulnerabilities
1. CVE-2025-22224: VMCI Heap Overflow Vulnerability
This critical flaw, assigned a CVSSv3 score of 9.3, is a heap-overflow issue in the Virtual Machine Communication Interface (VMCI). It impacts VMware ESXi and Workstation, allowing attackers with local administrative privileges on a virtual machine (VM) to exploit the flaw. Successful exploitation enables arbitrary code execution as the VM’s VMX process, running on the host system.
2. CVE-2025-22225: Arbitrary Kernel Write Vulnerability
With a CVSSv3 score of 8.2, this high-severity vulnerability affects VMware ESXi. It allows attackers with privileges within the VMX process to perform arbitrary kernel writes, potentially escaping the sandbox environment and compromising the host system.
3. CVE-2025-22226: Out-of-Bounds Read in HGFS Component
This information disclosure vulnerability, carrying a CVSSv3 score of 7.1, impacts VMware ESXi, Workstation, and Fusion. It arises from an out-of-bounds read flaw in the Host Guest File System (HGFS). Attackers with administrative privileges on a VM can exploit this flaw to leak memory from the VMX process, potentially exposing sensitive information.
Exploitation in the Wild
Broadcom confirmed that these vulnerabilities have been actively exploited in real-world attacks. Exploitation requires elevated privileges within the guest operating system, indicating that attackers often first compromise the VM before leveraging these flaws to target the hypervisor. This highlights the importance of maintaining robust security measures at both guest and host levels.
Impacted Products
The vulnerabilities affect the following VMware products:
- VMware ESXi: Versions 7.0 and 8.0
- VMware Workstation: Versions 17.x
- VMware Fusion: Versions 13.x
- VMware Cloud Foundation: Versions 4.5.x and 5.x
- VMware Telco Cloud Platform: Versions 5.x, 4.x, 3.x, and 2.x
- VMware Telco Cloud Infrastructure: Versions 3.x and 2.x
Mitigation and Recommendations
Broadcom has released patches to remediate these vulnerabilities. Administrators are strongly urged to apply the following updates immediately:
- VMware ESXi: Update to versions ESXi80U3d-24585383, ESXi80U2d-24585300, or ESXi70U3s-24585291.
- VMware Workstation: Update to version 17.6.3.
- VMware Fusion: Update to version 13.6.3.
- VMware Cloud Foundation: Apply the asynchronous patch corresponding to ESXi80U3d-24585383.
Administrators managing other impacted products should consult VMware’s official documentation for detailed patch guidance.