Global tech leader Broadcom published a critical security advisory on March 4th, 2025, regarding three new zero-day vulnerabilities in VMware ESXi, Workstation, Fusion, and other products. With varying levels of severity, the vulnerabilities can enable attackers to execute code, escape sandboxes, or leak memory.
The advisory states that Broadcom has information to suggest these vulnerabilities have been actively exploited in the wild.
Details of the Vulnerabilities
The newly discovered vulnerabilities, while not executable remotely, can empower attackers who have previously compromised a system to carry out further harm. These vulnerabilities impact a number of VMware products involving ESX, including VMware Cloud Foundation and VMware Telco Cloud Platform.
- CVE-2025-22224: A critical VMCI heap overflow vulnerability in VMware ESXi and Workstation, allowing attackers with local administrative privileges on a VM to execute code as the VMX process on the host. This is evaluated as a Critical vulnerability, with a CVSS of 9.3.
- CVE-2025-22225: A high-severity arbitrary write vulnerability in VMware ESXi, enabling attackers with VMX process privileges to perform arbitrary kernel writes, leading to a sandbox escape. This vulnerability is in the Important severity range with a CVSS of 8.2.
- CVE-2025-22226: A high-severity information disclosure vulnerability in VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in the Host Guest File System (HGFS), allowing attackers with administrative privileges on a VM to leak memory from the VMX process. This is a vulnerability of Important severity with a CVSS of 7.1.
Discovery and Reporting
These vulnerabilities were originally discovered and disclosed to Broadcom by the Microsoft Threat Intelligence Center, and Broadcom acknowledged the CVEs and published the advisory shortly after. Broadcom has also confirmed that there is evidence that all three vulnerabilities have been exploited in the wild. The vulnerabilities have been added to the United States Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities.
In addition to warning about the vulnerabilities, Broadcom’s advisory provides information on the fixed versions of the affected products. The full list of VMware products impacted by one or more of these vulnerabilities includes ESXi 7.0 and 8.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 4.5.x and 5.x, Telco Cloud Platform 2.x, 3.x, 4.x, and 5.x, and Telco Cloud Infrastructure 2.x and 3.x. Updated versions or patches have been released for all affected products.
Potential Risks and Exploitation Scenarios
These vulnerabilities cannot be exploited remotely, so they require the attacker to already have access to a virtual machine with administrator or root privileges. However, if a bad actor has that access, the CVEs can enable them to escape the virtual environment and execute code on the system. “These specific zero-day exploits can be chained together by attackers, allowing them to gain access to unpatched virtual devices and escalate privileges, potentially achieving administrative control of the hypervisor,” says Chris Gray, Field CTO at Deepwatch, a San Francisco, California-based AI+Human Cyber Resilience Platform.
The consequences of attackers exploiting these vulnerabilities can have far-reaching implications for organizations. “Virtualization platforms, characterized by their complex and interconnected systems, are particularly susceptible to chained exploits,” according to Gray. “Once attackers exploit initial vulnerabilities, they can uncover further weaknesses, creating a cascade effect.” Attacks exploiting these CVEs can empower bad actors to breach data, compromise systems, install backdoors, and more.
Recommended Actions
To protect against the risks associated with these recently discovered vulnerabilities, organizations are encouraged to follow guidance for patching the relevant products. It is crucial to implement the recommended patches and updates to fix the vulnerabilities and prevent bad actors from exploiting them to launch attacks. The advisory from Broadcom contains information on patching and updating all of the impacted products.
Verifying system updates is an important step in patching and securing all affected products. Using VMware products like the vSphere Update Manager and looking to official channels for patching guidance can help to ensure that all updates are verified. Organizations are also recommended to run risk assessments, implement access management and system defense measures, and monitor for suspicious behavior.
Conclusion
As noted in the Broadcom advisory, these vulnerabilities are of a critical nature and must be fixed as soon as possible. Organizations must take immediate action to update the affected products and ensure that the systems are patched and systems are guarded against attacks via these CVEs. It is also crucial for organizations to implement robust and layered security strategies, maintain vigilant practices, and keep up to date with threat intelligence to stop new and evolving threats.
