Broadcom has issued a warning regarding three critical VMware zero-days that have been actively exploited in attacks, as reported by the Microsoft Threat Intelligence Center. These vulnerabilities affect various VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
Details of the VMware Zero-Days
The vulnerabilities are identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. Attackers with privileged administrator or root access can chain these vulnerabilities to escape the virtual machine’s sandbox. Broadcom explained:
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”
Breakdown of VMware Zero-Day Vulnerability
- CVE-2025-22224: A critical-severity VCMI heap overflow vulnerability that allows local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host.
- CVE-2025-22225: An ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape.
- CVE-2025-22226: An HGFS information-disclosure flaw that enables attackers with admin permissions to leak memory from the VMX process.
Exploitation and Threat Landscape
Broadcom has indicated that there is evidence to suggest these vulnerabilities have been exploited “in the wild.” VMware vulnerabilities are frequently targeted by ransomware gangs and state-sponsored hacking groups due to their presence in enterprise operations, which often handle sensitive corporate data.
Recently, in November, Broadcom had warned about two VMware vCenter Server vulnerabilities that were actively exploited. One vulnerability allowed privilege escalation to root (CVE-2024-38813), while the other was a critical remote code execution flaw (CVE-2024-38812) reported during a hacking contest in China.
Organizations using VMware products should apply the necessary patches immediately to protect against these zero-day vulnerabilities. As cyber threats continue to evolve, staying informed and proactive is crucial for maintaining a secure environment.
