VMware patches multiple actively exploited vulnerabilities, at least one critical
Take action: If you are using VMware ESXi, Fusion, Workstation, Cloud Foundation or Telco Cloud, check your product versions whether they are vulnerable and plan a quick patch. While you don't have to panic, be aware that hackers are actively exploiting these flaws, so if a laptop or an admin account is compromised through phishing or malware, your VMware systems are exposed. Don't delay patching.
Learn More
Broadcom has released security updates to address multiple vulnerabilities in VMware products that are actively being exploited by threat actors.
The security advisory VMSA-2025-0004, issued on March 4, 2025, details three vulnerabilities affecting VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform products:
- CVE-2025-22224 (CVSS score 9.3): A critical VMCI heap-overflow vulnerability caused by a Time-of-Check Time-of-Use (TOCTOU) issue that leads to an out-of-bounds write in VMware ESXi and Workstation. A malicious actor with local administrative privileges on a virtual machine can exploit this to execute code as the virtual machine's VMX process running on the host.
- CVE-2025-22225 (CVSS score 8.2): An arbitrary write vulnerability in VMware ESXi that allows attackers with privileges within the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape.
- CVE-2025-22226 (CVSS score 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion due to an out-of-bounds read in HGFS (Host-Guest File System). Attackers with administrative privileges to a virtual machine can exploit this to leak memory from the VMX process.
The vulnerabilities impact multiple VMware products and versions:
- VMware ESXi 7.0 and 8.0
- VMware Workstation 17.x
- VMware Fusion 13.x
- VMware Cloud Foundation 4.5.x and 5.x
- VMware Telco Cloud Platform 2.x, 3.x, 4.x, and 5.x
- VMware Telco Cloud Infrastructure 2.x and 3.x
Broadcom has released patches for all affected products and strongly urges customers to update immediately. The updated versions include:
- ESXi80U3d-24585383 for VMware ESXi 8.0
- ESXi80U2d-24585300 for VMware ESXi 8.0
- ESXi70U3s-24585291 for VMware ESXi 7.0
- Workstation 17.6.3
- Fusion 13.6.3
- Async patches for Cloud Foundation and Telco Cloud Platform
There are no workarounds available for these vulnerabilities, making patching the only effective mitigation strategy.
These vulnerabilities were reported by the Microsoft Threat Intelligence Center. Broadcom (which now owns VMware) has confirmed that all three vulnerabilities are being actively exploited in the wild. The identity of the threat actors exploiting these zero-days has not been disclosed.
