[German]As of March 4, 2025, VMware by Broadcom has published a security advisory to warn of three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) that have already been exploited in the wild. Patching is urgent.
Advertising
VMware Advisory VMSA-2025-0004
According to Advisory VMSA-2025-0004, the vulnerabilities (CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) affect VMware ESXi, Workstation and Fusion. The vulnerabilities are classified as critical with a CVSS Base Score of 7.1 to 9.3. Affected are:
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion
- VMware Cloud Foundation
- VMware Telco Cloud Platform
Patches have been released for every affected product. In the meantime, a blog reader has pointed this out to me (thank you) and I have also received security warnings from security companies. A FAQ from Broadcom on the vulnerabilities can be found here.
VMCI heap-overflow vulnerability (CVE-2025-22224)
The vulnerability CVE-2025-22224 in VMware ESXi and Workstation is a Time-of-Check Time-of-Use (TOCTOU) bug that leads to an out-of-bounds write. VMware has rated the severity of this issue as critical, with a maximum CVSSv3 base score of 9.3.
A malicious actor with local administrative privileges on a virtual machine can exploit this vulnerability to execute code as a virtual machine VMX process on the host. A patch for the affected products is available to fix the vulnerability CVE-2025-22224.
VMware ESXi arbitrary write vulnerability (CVE-2025-22225)
The vulnerability CVE-2025-22225 affects VMware ESXi and is an arbitrary write bug that allows arbitrary writes to memory. VMware classifies the severity with a maximum CVSSv3 base score of 8.2 (important).
Advertising
A malicious actor with privileges within the VMX process can trigger an arbitrary kernel write that leads to an escape from the sandbox. A VMware ESXi update is available to address CVE-2025-22225.
It should be patched promptly, as VMware by Broadcom has information about a possible exploitation of CVE-2025-22225 in the wild.
HGFS information-disclosure vulnerability (CVE-2025-22226)
The vulnerability CVE-2025-22226
affects VMware ESXi, Workstation and Fusion. It is an Information Disclosure vulnerability that exposes information due to an out-of-bounds read in HGFS. VMware classifies the severity as "important" with a maximum CVSSv3 base score of 7.1.
A malicious actor with administrative privileges to a virtual machine could potentially exploit this issue to leak memory contents from the vmx process. Patches for the affected products are available to address CVE-2025-22226.
Patches available
VMware by Broadcom has published a table with the versions of the vulnerable products and links to information on where to find the available patches in Advisory VMSA-2025-0004. Some updates are installed by the products (e.g. VMware Workstation).
With VMware Workstation, however, the update fails with an error during installation on my machine. By the way, neowin.net have listed the changes in this article.
There are no known workarounds to close the vulnerabilities. It is advisable to update the products promptly.
Advertising
