Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately
Security Advisory
Multiple critical vulnerabilities have been discovered in VMware products.
These vulnerabilities are allowing attackers to escalate privileges, execute arbitrary code on hypervisors, and exfiltrate sensitive memory data.
The vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Patches have been released to mitigate these risks.
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
| OEM | VMware |
| Severity | Critical |
| CVSS | 9.3 |
| CVEs | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Patches have been released to mitigate these risks.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| VMCI heap-overflow vulnerability | CVE-2025-22224 | VMware ESXi, and Workstation | Critical |
| Arbitrary Write Vulnerability | CVE-2025-22225 | VMware ESXi | High |
| HGFS information-disclosure vulnerability | CVE-2025-22226 | VMware ESXi, Workstation, and Fusion | High |
Technical Summary
The vulnerabilities allow attackers with privileged access to a virtual machine (VM) to escape sandbox constraints, execute arbitrary code on the hypervisor, and exfiltrate sensitive data.
These flaws have been exploited in the wild, posing significant risks to virtualized infrastructures.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-22224 | VMware ESXi, and Workstation | A Time-of-Check Time-of-Use (TOCTOU) race condition leading to a heap overflow in the VMX process. | Hypervisor takeover, lateral movement |
| CVE-2025-22225 | VMware ESXi | Arbitrary write vulnerability in the VMX process that allows kernel memory manipulation, leading to a sandbox escape. | Privilege escalation, malware deployment, service disruption. |
| CVE-2025-22226 | VMware ESXi, Workstation, and Fusion | Out-of-bounds read vulnerability in the Host Guest File System (HGFS), leading to information disclosure. | Exposure of sensitive memory data. |
Remediation:
- Apply Software Updates: VMware has released patched software versions to address vulnerabilities. Organizations should prioritize installing the latest security updates.
- Broadcom pointed out that exploitation of the vulnerabilities requires elevated privileges, which indicates that they have likely been exploited in more targeted attacks after threat actors gained initial access to the victim’s systems.
Conclusion:
The active exploitation of these vulnerabilities highlights the urgency of applying patches and enforcing security best practices. Organizations should act swiftly to mitigate risks and prevent potential breaches.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and urges immediate remediation under the Binding Operational Directive (BOD) framework. Following CISA’s guidance will help protect critical virtualized infrastructures from exploitation.
The Known Exploited Vulnerabilities KEV catalog maintained by the cybersecurity agency CISA currently includes 26 VMware flaws and the new zero-days have yet to be added.
Broadcom has credited Microsoft Threat Intelligence Center for reporting these vulnerabilities.
References:
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
- https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog