VMware Zero-Day Vulnerabilities Detailed

On March 4, 2025, Broadcom disclosed three actively exploited zero-day vulnerabilities affecting VMware products, including VMware ESXi, Workstation, and Fusion. These vulnerabilities are part of a series of attacks observed in the wild, posing substantial risks to organizations reliant on VMware’s virtualization solutions. The findings, initially highlighted by Microsoft Threat Intelligence Center (MSTIC), reveal that these vulnerabilities have the potential to compromise virtualized environments on a large scale.

Three Zero-Day Vulnerabilities Unveiled

CVE-2025-22224 – TOCTOU (Time-of-Check to Time-of-Use) Race Condition Vulnerability

• Severity: Critical (CVSS Score: 9.3)
• Description: This vulnerability is a Time-of-Check to Time-of-Use (TOCTOU) race condition flaw in VMware ESXi and Workstation that leads to an out-of-bounds (OOB) write. The vulnerability allows an attacker with local administrative privileges on a virtual machine to execute arbitrary code as the VMX process (the hypervisor component running on the host).
• Exploitation Mechanism: The attacker exploits the gap between the validation and actual use of a resource, altering data during the time window to bypass security checks.
• Impact: Successful exploitation can enable attackers to:
  • Escape the VM sandbox environment.
  • Compromise the hypervisor, gaining control over all virtual machines hosted on it.
  • Execute privileged commands on the underlying host OS.

CVE-2025-22225 – Arbitrary Write Vulnerability in VMware ESXi

• Severity: High (CVSS Score: 8.2)
• Description: This arbitrary write vulnerability affects VMware ESXi. It enables attackers operating within the VMX process to manipulate kernel memory, potentially allowing the escape of the virtual machine sandbox and privilege escalation.
• Exploitation Mechanism: An attacker crafts memory operations to execute arbitrary write instructions that allow manipulation of host memory.
• Impact: Exploiting this flaw can result in:
  • Hypervisor compromise: Full control over the VMware ESXi hypervisor.
  • Lateral movement into connected networks and virtualized environments.
  • Potential data theft and service disruption across compromised systems.

CVE-2025-22226 – Information Disclosure Vulnerability in VMware ESXi, Workstation, and Fusion

• Severity: High (CVSS Score: 7.1)
• Description: This is an out-of-bounds (OOB) read vulnerability found in the Host Guest File System (HGFS), affecting VMware ESXi, Workstation, and Fusion. HGFS facilitates communication between host and guest OS instances.
• Exploitation Mechanism: Attackers exploit the HGFS component to read sensitive memory areas from the VMX process.
• Impact:
  • Exposure of sensitive host and virtual machine memory.
  • Leakage of credentials and configuration data, aiding further exploitation.
  • Assists in planning lateral movement or privilege escalation attacks.

Observed Exploitation in the Wild

Broadcom and MSTIC confirmed that these vulnerabilities have already been exploited in targeted attacks. While specific adversary groups have not been identified, their exploitation:

• Affects organizations across sectors relying on VMware’s virtualization solutions.
• Demonstrates the vulnerabilities’ capacity for chained exploitation, where attackers leverage multiple flaws to achieve:
• VM sandbox escape.
• Hypervisor compromise.
• Broad control over virtual environments and sensitive data.

By chaining vulnerabilities like CVE-2025-22224 and CVE-2025-22225, attackers can bypass privilege boundaries, enabling catastrophic breaches.

Affected VMware Products

These vulnerabilities impact the following VMware products across multiple versions:

• VMware ESXi: Versions 7.0, 8.0, and 6.7.
• VMware Workstation: Version 17.x.
• VMware Fusion: Version 13.x.
• VMware Cloud Foundation: Versions 4.5.x and 5.x.
• VMware Telco Cloud Platform: Versions 5.x, 4.x, 3.x, and 2.x.

Mitigation Measures

Immediate Actions

• Apply VMware Patches

• VMware has released patches to address all three vulnerabilities. Organizations should urgently update their systems to the following fixed versions:
  • ESXi 8.0: ESXi80U3d-24585383 or ESXi80U2d-24585300.
  • ESXi 7.0: ESXi70U3s-24585291.
  • ESXi 6.7: ESXi670-202503001.
  • Workstation 17.x: Version 17.6.3.
  • Fusion 13.x: Version 13.6.3.

• Restrict Access to Management Interfaces

• Limit access to VMware management interfaces (e.g., vCenter Server, ESXi UI) to trusted IP addresses and networks only.

• Credential Reset

• Rotate administrator credentials for ESXi and management systems to prevent further exploitation if credentials have been leaked.

Long-Term Strategies

• Network Segmentation: Segment virtualized environments and critical systems to limit attackers’ lateral movement if a breach occurs.
• Endpoint Detection and Response (EDR): Deploy advanced EDR tools to monitor hypervisor activity and detect unusual behaviors related to memory corruption or sandbox escapes.
• Security Hardened Configuration: Apply VMware’s security-hardening guides, which provide recommendations for securely configuring VMware environments.
• Proactive Monitoring:
• Monitor web shells, privilege escalation attempts, and suspicious VM activities.
• Use SIEM solutions for log correlation and threat detection.

Key Takeaways

The discovery of these three zero-day vulnerabilities highlights the critical need for proactive security practices in organizations utilizing VMware platforms. Given the potential for full hypervisor compromise, the vulnerabilities represent an existential threat to virtualized infrastructures if left unpatched. VMware administrators must act swiftly to mitigate risks by applying patches and following best practices for securing their environments.

For more details, can refer to:

• Broadcom’s advisory here.
• Microsoft’s analysis on exploitation trends here.