VMware has released urgent security updates addressing multiple vulnerabilities in VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could allow attackers to execute arbitrary code, perform privilege escalation, and leak sensitive information. Exploitation in the wild has been observed for these vulnerabilities.
Severity Level: Critical
Vulnerability Details
1. CVE-2025-22224 (CVSS: 9.3): VMCI Heap Overflow Vulnerability in VMware ESXi, Workstation
Root Cause:
- The vulnerability arises due to a Time-of-Check to Time-of-Use (TOCTOU) issue in the VMware Virtual Machine Communication Interface (VMCI) driver.
- Improper validation and synchronization between the time of checking access and time of executing the operation leads to an out-of-bounds write in memory.
Exploitation:
- A local attacker with administrative privileges on a virtual machine (guest OS) can exploit this issue to write out-of-bounds memory.
- This enables execution of arbitrary code as the VMX process (which runs on the host).
- If successfully exploited, the attacker gains a privilege escalation path to compromise the hypervisor or other virtual machines running on the same host.
2. CVE-2025-22225 (CVSS Score: 8.2): VMware ESXi Arbitrary Write Vulnerability
Root Cause:
- The vulnerability is caused by insufficient access control and memory handling in the VMX process of ESXi. A privileged user within the guest VM can manipulate kernel memory, leading to arbitrary writes in the hypervisor space.
Exploitation:
- Attackers with privileged VMX process access can exploit this flaw to modify kernel memory.
- This can result in sandbox escape from the guest machine, allowing execution of arbitrary code with kernel privileges on the ESXi host.
3. CVE-2025-22226 (CVSS Score: 7.1): HGFS Information Disclosure Vulnerability in VMware ESXi, Workstation, Fusion
Root Cause:
- A bounds-checking failure in the Host-Guest File System (HGFS) leads to out-of-bounds memory reads. The vulnerability is caused by improper memory access control within the HGFS module.
Exploitation:
- A malicious actor with administrative privileges within a virtual machine can exploit this issue to leak memory contents from the VMX process.
- This can expose sensitive information, including encryption keys, passwords, and other credentials stored in memory.
4. Affected Versions:
VMware ESXi (7.0, 8.0), VMware Workstation (17.x), VMware Fusion (13.x), VMware Cloud Foundation (4.5.x, 5.x), VMware Telco Cloud Platform (5.x, 4.x, 3.x, 2.x)
Recommendations
- Apply the latest security patches from VMware to all the affected products.
- Reduce administrative access inside VMs to minimize the attack surface.
- Restrict communication between guest VMs and the hypervisor where possible.
- Enable Memory Protections – Use DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) to reduce memory corruption risks.
Source:
- https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
- https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
No related posts found.