Broadcom issued a security alert warning VMware customers about three zero-day vulnerabilities that attackers are actively exploiting in the wild. The vulnerabilities, known as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact various VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
According to Broadcom’s advisory, CVE-2025-22224 is the most severe of the three vulnerabilities with a CVSS score of 9.3. This critical VMCI heap overflow vulnerability affects VMware ESXI and Workstation. Attackers with local administrative privileges on a virtual machine (VM) can exploit this vulnerability to execute code as the virtual machine’s VMX process running the host.
CVE-2025-22225 is a high-severity arbitrary file write vulnerability with a CVSS score of 8.2 that impacts VMware ESXi. If exploited, attackers with privileges inside the VMX process can trigger an arbitrary kernel write, potentially leading to an escape from the VM’s sandbox.
The third vulnerability, CVE-2025-22226, is also high-severity with a CVSS base score of 7.1. It impacts VMware ESXi, Workstation, and Fusion and is caused by an out-of-bounds read bug in the HGFS component. Attackers with administrative privileges to the VM can exploit this vulnerability to leak memory from the VMX process.
Broadcom confirmed that attackers have already exploited all three vulnerabilities and urged organizations to take immediate action to address the security risks.
Security experts expressed concerns over the severity of these exploits and their potential impact. Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, warned that these vulnerabilities allow attackers to break out of a compromised VM and take control of the underlying host system. He emphasized the importance of organizations taking immediate action to mitigate these risks.
Jason Soroko, Senior Fellow at Sectigo, highlighted the risk posed by chaining these vulnerabilities together for a more robust attack path. He noted that attackers could exploit these vulnerabilities independently or in combination to increase the likelihood of a successful breach.
Chris Gray, Field CTO at Deepwatch, warned about the dangers of incomplete patching leaving systems vulnerable, especially considering VMware’s dominant position in the virtualization market. He explained how attackers could chain these zero-day exploits together to escalate privileges and potentially gain administrative control of the hypervisor.
In conclusion, the exploitation of these vulnerabilities underscores the importance of prompt action by organizations to secure their VMware environments. The varied profiles of the vulnerabilities provide attackers with multiple options for compromising systems, making it essential for organizations to stay vigilant and apply necessary patches and security measures to protect their virtualization infrastructure.