On March 4, Broadcom launched emergency updates to handle three vulnerabilities — CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226 — that have an effect on a number of VMware merchandise, together with ESXi, Workstation, and Fusion. A be aware within the Broadcom advisory said that not less than considered one of these — CVE-2025-22224 — has been exploited in real-world assaults. The vulnerabilities enable for digital machine escape — enabling attackers to execute code immediately on the ESX hypervisor. Info accessible on VMware’s GitHub means that the Microsoft Risk Intelligence Middle was the primary to detect the exploit within the wild and notify Broadcom. Neither firm has named the attacker or the sufferer.
Broadcom reviews that the vulnerabilities have an effect on VMware ESXi 7.0–8.0, Workstation 17.x, vSphere 6.5–8, Fusion 13.x, Cloud Basis 4.5–5.x, Telco Cloud Platform 2.x–5.x, and Telco Cloud Infrastructure 2.x–3.x. Nonetheless, some specialists recommend that the vary of impacted merchandise is probably wider. Particularly, older variations of ESXi, similar to 5.5, must be weak as properly, however these unsupported variations will not be getting patched. In accordance with some assessments, greater than 41,000 ESXi servers had been affected throughout the globe (primarily in China, France, the U.S., Germany, Iran and Brazil) as on the finish of final week.
What points VMware has mounted
Probably the most extreme vulnerability in VMware ESXi and Workstation — CVE-2025-22224 — obtained a CVSS ranking of 9.3. It’s associated to a heap overflow in VMCI, and permits an attacker with native administrative privileges on the digital machine to execute code because the VMX course of on the host — the hypervisor.
The CVE-2025-22225 vulnerability in VMware ESXi (CVSS 8.2) permits an attacker to carry out an arbitrary kernel write, which additionally implies sandbox escape. CVE-2025-22226 — an HGFS info disclosure vulnerability (CVSS 7.1) — permits an attacker with visitor VM administrative entry to extract the contents of the VMX course of reminiscence. VMware ESXi, Workstation, and Fusion are affected by this vulnerability.
Harmful exploitation situations
The vulnerability descriptions point out that exploitation requires an attacker to have already compromised the digital machine and possess administrative privileges on it. This looks like a comparatively excessive entry barrier, however in actuality such a situation can materialize fairly simply. The first hazard of those vulnerabilities is that they drastically cut back the steps an attacker must take from compromising a single digital machine to utterly seizing management of the computing cluster. The trio of vulnerabilities permits the attacker to succeed in hypervisor degree with out conducting “noisy” community setting scans for servers, or having to avoid community safety measures. The next are typical enterprise situations the place this might happen:
- VMware-based VDI workstations. A single worker makes a mistake by launching a malicious attachment on their digital workstation. As an alternative of only one workstation being compromised, this results in a large-scale incident.
- VMware-based hybrid and personal clouds. A profitable compromise of any server by way of a publicly accessible software vulnerability permits an attacker to quickly propagate the assault throughout your complete community.
- Leasing digital servers and workstations (prebuilt VMs) from an MSP. A shopper’s error resulting in an infection on a rented host will end in compromise of all MSP shoppers sharing assets throughout the identical cluster.
Some options of VMware clusters create additional complexities in detecting and remediating such incidents. As soon as an attacker compromises the hypervisor degree, they routinely achieve entry to all storage linked to the cluster. The attacker can then transfer freely all through the VMware setting, and the configuration information accessible from the hypervisor allow their conducting in depth reconnaissance with out elevating safety alerts.
The hypervisor lacks an EDR agent, and safety instruments have very restricted visibility into what’s occurring on the cluster degree. Hackers can sneak in and seize essential info, similar to Lively Listing databases, with out safety groups noticing. All of those elements make the three VMware vulnerabilities a veritable goldmine for malicious actors — notably ransomware teams. They’ve repeatedly carried out assaults on ESXi environments up to now: RansomExx, ESXiargs, Clop, and so forth.
Suggestions for organizational safety
Fortunately for companies, proof-of-concept (PoC) code for exploiting these vulnerabilities has not but been printed, so widespread exploitation of the flaw has not begun. However, such code might floor at any second, so VMware merchandise should be up to date rapidly as a high precedence. Since patching VMware environments will be advanced, particularly in high-availability infrastructures, organizations ought to leverage instruments like vMotion to deploy patches with out downtime.
Patching is the one mitigation for these vulnerabilities. Nonetheless, Broadcom additionally recommends reviewing your settings in keeping with the vSphere Safety Configuration & Hardening information. Amongst different issues, you’ll want to make sure that your VMware infrastructure is correctly segmented to limit entry to the hypervisor administration community.
Make sure you use cloud safety instruments, together with having an EDR agent correctly put in and operating in your digital machines. This can enable for the detection and prevention of the preliminary an infection stage — blocking attackers from acquiring the executive entry required to use the vulnerabilities.
