In a move to counteract ongoing cyber threats, Broadcom has urgently rolled out security patches addressing three critical vulnerabilities actively exploited in VMware ESXi, Workstation, and Fusion. These flaws open the door to remote code execution and data leakage, posing a substantial risk to virtualized environments.
Catalog of Exploited Weaknesses:
- CVE-2025-22224 (CVSS 9.3): A Time-of-Check to Time-of-Use (TOCTOU) flaw facilitating an out-of-bounds write. A threat actor with administrative control over a virtual machine could exploit this to run arbitrary code within the VMX process on the host system.
- CVE-2025-22225 (CVSS 8.2): A sandbox-escape vulnerability stemming from an arbitrary write weakness. If leveraged, an attacker inside the VMX process could breach containment and execute malicious actions.
- CVE-2025-22226 (CVSS 7.1): An out-of-bounds read vulnerability in HGFS allowing an adversary with admin-level VM privileges to siphon memory data from the VMX process.
Impacted VMware Releases & Patch Fixes:
- VMware ESXi 8.0: Mitigated in
ESXi80U3d-24585383
,ESXi80U2d-24585300
- VMware ESXi 7.0: Fixed in
ESXi70U3s-24585291
- VMware Workstation 17.x: Remediated in
17.6.3
- VMware Fusion 13.x: Addressed in
13.6.3
- VMware Cloud Foundation 5.x: Async patch via
ESXi80U3d-24585383
- VMware Cloud Foundation 4.x: Async patch via
ESXi70U3s-24585291
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x: Patched in
ESXi 7.0U3s, ESXi 8.0U2d, ESXi 8.0U3d
- VMware Telco Cloud Infrastructure 3.x, 2.x: Fixed in
ESXi 7.0U3s
Exploitation Confirmed in the Wild
Broadcom has acknowledged that these vulnerabilities have been exploited in real-world attacks, though specifics regarding attack methodology, threat actor identity, and operational impact remain undisclosed. The company emphasized the imperative need for administrators to immediately deploy security patches to neutralize risks.
The Microsoft Threat Intelligence Center has been credited for uncovering these security lapses and reporting them. Given the active weaponization of these vulnerabilities, organizations must act swiftly to fortify their virtual infrastructure against emerging threats.