Three VMware Zero-Days Actively Exploited In The Wild – Patch Now!

Published Date: March 5, 2025
Category: ShadowOpsIntel
Share:

VMware has released urgent security updates addressing multiple vulnerabilities in VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could allow attackers to execute arbitrary code, perform privilege escalation, and leak sensitive information. Exploitation in the wild has been observed for these vulnerabilities.

Severity Level: Critical

Vulnerability Details

1. CVE-2025-22224 (CVSS: 9.3): VMCI Heap Overflow Vulnerability in VMware ESXi, Workstation

Root Cause:

  • The vulnerability arises due to a Time-of-Check to Time-of-Use (TOCTOU) issue in the VMware Virtual Machine Communication Interface (VMCI) driver.
  • Improper validation and synchronization between the time of checking access and time of executing the operation leads to an out-of-bounds write in memory.

Exploitation:

  • A local attacker with administrative privileges on a virtual machine (guest OS) can exploit this issue to write out-of-bounds memory.
  • This enables execution of arbitrary code as the VMX process (which runs on the host).
  • If successfully exploited, the attacker gains a privilege escalation path to compromise the hypervisor or other virtual machines running on the same host.

2. CVE-2025-22225 (CVSS Score: 8.2): VMware ESXi Arbitrary Write Vulnerability

Root Cause:

  • The vulnerability is caused by insufficient access control and memory handling in the VMX process of ESXi. A privileged user within the guest VM can manipulate kernel memory, leading to arbitrary writes in the hypervisor space.

Exploitation:

  • Attackers with privileged VMX process access can exploit this flaw to modify kernel memory.
  • This can result in sandbox escape from the guest machine, allowing execution of arbitrary code with kernel privileges on the ESXi host.

3. CVE-2025-22226 (CVSS Score: 7.1): HGFS Information Disclosure Vulnerability in VMware ESXi, Workstation, Fusion

Root Cause:

  • A bounds-checking failure in the Host-Guest File System (HGFS) leads to out-of-bounds memory reads. The vulnerability is caused by improper memory access control within the HGFS module.

Exploitation:

  • A malicious actor with administrative privileges within a virtual machine can exploit this issue to leak memory contents from the VMX process.
  • This can expose sensitive information, including encryption keys, passwords, and other credentials stored in memory.

4. Affected Versions:

VMware ESXi (7.0, 8.0), VMware Workstation (17.x), VMware Fusion (13.x), VMware Cloud Foundation (4.5.x, 5.x), VMware Telco Cloud Platform (5.x, 4.x, 3.x, 2.x)

Recommendations

  1. Apply the latest security patches from VMware to all the affected products.
  2. Reduce administrative access inside VMs to minimize the attack surface.
  3. Restrict communication between guest VMs and the hypervisor where possible.
  4. Enable Memory Protections – Use DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) to reduce memory corruption risks.

Source:

  • https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
  • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
  • https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.