Critical Zero-Day Vulnerabilities in VMware Exploited at Pwn2Own 2025 – Patch Immediately
Summary : VMware fixed four vulnerabilities in VMware ESXi, Workstation, Fusion and VMware Tools that were exploited as zero-days during the Pwn2Own Berlin 2025 hacking contest in May 2025.
| OEM | Broadcom |
| Severity | Critical |
| CVSS Score | 9.3 |
| CVEs | CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities, now tracked as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238 and CVE-2025-41239, could allow attackers with local administrative privileges on a virtual machine to execute arbitrary code on the host system or leak sensitive memory content.
VMware has released critical patches for affected products, including ESXi 7/8, Workstation Pro 17.x, Fusion 13.x and VMware Tools.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| VMXNET3 Integer Overflow | CVE-2025-41236 | ESXi, Workstation, Fusion | Critical (CVSS 9.3) | ESXi80U3f-24784735, ESXi70U3w-24784741, ESXi80U2e24789317, Workstation 17.6.4, Fusion 13.6.4 |
| VMCI Integer Underflow | CVE-2025-41237 | ESXi, Workstation, Fusion | Critical (CVSS 9.3) | Same as above |
| PVSCSI Heap Overflow | CVE-2025-41238 | ESXi, Workstation, Fusion | Critical (CVSS 9.3) | Same as above |
| vSockets Info Disclosure | CVE-2025-41239 | ESXi, Workstation, Fusion, VMware Tools | High (CVSS 7.1) | VMware Tools 13.0.1.0, same ESXi/Workstation/Fusion versions |
Technical Summary
These vulnerabilities impact key virtualization components, potentially enabling virtual machine breakout or data leakage from the host system.
The exploitation requires local admin privileges on the guest VM and varies in impact depending on the platform (ESXi, Workstation, or Fusion).
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-41236 | ESXi 7/8, Workstation 17.x, Fusion 13.x | Integer overflow in VMXNET3 adapter allows arbitrary code execution on the host via specially crafted network packets from a guest VM. | Host code execution from guest VM |
| CVE-2025-41237 | Same as above | Integer underflow in VMCI component can lead to out-of-bounds write and code execution in the VMX process on the host. | VM breakout; Host compromise (Workstation/Fusion) |
| CVE-2025-41238 | Same as above | Heap overflow in the PVSCSI controller allows out-of-bounds write more severe on Workstation/Fusion than ESXi due to sandbox restrictions. | Host compromise (desktop platforms); limited on ESXi |
| CVE-2025-41239 | ESXi 7/8, Workstation 17.x, Fusion 13.x, VMware Tools | Use of uninitialized memory in vSockets allows information disclosure to attackers with local VM admin rights. | Memory leak from host to guest |
Remediation:
Users and administrators are strongly advised to immediately apply the following patches to mitigate the vulnerabilities:
- VMware ESXi users must update to ESXi80U3f-24784735, ESXi80U2e-24789317 for 8.x and ESXi70U3w-24784741 for 7.x versions.
- VMware Workstation Pro users should update to version 17.6.4 or later.
- VMware Fusion users to version 13.6.4 or later.
- For VMware Tools, apply the 13.0.1.0 or later, especially for Windows guests where the vSockets vulnerability (CVE-2025-41239) is relevant.
Conclusion:
These vulnerabilities pose a serious threat to virtualization security, especially in environments using VMware Workstation and Fusion. A successful exploit could enable attackers to escape the virtual machine and compromise the host system.
Administrators should prioritize patching to avoid exposure and reduce the risk of virtual infrastructure compromise. Regular audits of virtual networking components and least-privilege access controls within guest VMs are also recommended.
References:
Recent Comments