Slow Patching Leaves Thousands of ESXi Hosts at Risk of Remote Code Execution

Published Date: August 14, 2025
Category: ShadowOpsIntel
Share:

A critical integer-overflow vulnerability, CVE-2025-41236 (CVSS 9.3), has been identified in the VMXNET3 virtual network adapter component of VMware ESXi, Workstation, and Fusion. The flaw was privately reported via Pwn2Own and disclosed in Broadcom VMSA-2025-0013 on July 15, 2025. It affects VMware’s virtualization stack, with ESXi deployments facing the greatest real-world exposure due to thousands of unpatched internet-facing systems. Public internet scans by Shadowserver detected over 17,000 vulnerable ESXi servers, and exploitation code is available in the wild.

Severity Level: Critical

Vulnerability Details

  • CVE ID: CVE-2025-41236
  • CVSS Score: 9.3
  • Vulnerability Type: Integer overflow in VMXNET3 virtual network adapter
  • Attack Vector: Local (requires access to a VM) but can escalate to ESXi host compromise; in cloud and hosting setups, may be paired with other exploits for remote entry.
  • Affected Components: VMware ESXi, Workstation, Fusion
  • The vulnerability is caused by improper integer size validation during buffer calculations within the VMXNET3 driver, leading to an integer overflow. This results in incorrect memory allocation, potentially allowing an attacker to overwrite memory in a controlled manner and execute arbitrary code on the ESXi host.
ProductAffected VersionsFixed Version
VMware ESXi 8.0Any prior to ESXi80U3f-24784735 / ESXi80U2e-24789317ESXi80U3f-24784735 / ESXi80U2e-24789317
VMware ESXi 7.0Any prior to ESXi70U3w-24784741ESXi70U3w-24784741
VMware Workstation 17.xAny prior to 17.6.417.6.4
VMware Fusion 13.xAny prior to 13.6.413.6.4
VMware Cloud Foundation & Telco CloudVersions bundling vulnerable ESXi buildsAsync patch to ESXi fixed versions

Exploitation Of The Vulnerabilities

  1. Known Attack Vectors:
    • A malicious actor with local administrative privileges on a VM using a VMXNET3 adapter can exploit the flaw to execute code on the host.
    • Non-VMXNET3 adapters are not affected.
  2. Potential Impact:
    • Full ESXi host compromise
    • Lateral movement across VMs
    • Ransomware deployment
    • Data exfiltration from virtual environments
  3. Threat Landscape:
    • Shadowserver scans indicate 17,238 vulnerable ESXi IPs on July 19, 2025, reduced only to 16,330 by August 10, 2025.
    • Most affected countries: France, China, USA, Germany, Russia, Netherlands, Brazil.

Recommendations

  1. Organizations running affected versions must deploy VMware’s official security updates without delay.
  2. If patching is delayed, temporarily replace VMXNET3 adapters with other virtual NIC types.
  3. Restrict public internet exposure for ESXi management interfaces; allow access only from trusted internal IP ranges or via VPN.
  4. Implement multi-factor authentication for administrative access.
  5. Isolate virtualization infrastructure from general user networks.

Source:

  • https://cybersecuritynews.com/vmware-esxi-servers-vulnerable/
  • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.