{"id":37282,"date":"2025-03-05T10:56:37","date_gmt":"2025-03-05T09:56:37","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=37282"},"modified":"2025-03-05T11:06:48","modified_gmt":"2025-03-05T10:06:48","slug":"0-day-vulnerabilities-in-vmware-esxi-workstation-and-fusion","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2025\/03\/05\/0-day-vulnerabilities-in-vmware-esxi-workstation-and-fusion\/","title":{"rendered":"0-day vulnerabilities in VMWare ESXi, Workstation and Fusion"},"content":{"rendered":"<p><img decoding=\"async\" style=\"margin: 0px 10px 0px 0px;\" src=\"https:\/\/i.postimg.cc\/wvhW2rLQ\/image.png\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2025\/03\/05\/0-day-schwachstellen-in-vmware-esxi-workstation-und-fusion\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]As of March 4, 2025, VMware by Broadcom has published a security advisory to warn of three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) that have already been exploited in the wild. Patching is urgent.<\/p>\n<p><!--more--><\/p>\n<h2>VMware Advisory VMSA-2025-0004<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg02.met.vgwort.de\/na\/7c3d46c614584b658691f23e2a8b2ef4\" alt=\"\" width=\"1\" height=\"1\" \/>According to Advisory <a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/25390\" target=\"_blank\" rel=\"noopener\">VMSA-2025-0004<\/a>, the vulnerabilities (CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) affect VMware ESXi, Workstation and Fusion. The vulnerabilities are classified as critical with a CVSS Base Score of 7.1 to 9.3. Affected are:<\/p>\n<ul>\n<li>VMware ESXi<\/li>\n<li>VMware Workstation Pro \/ Player (Workstation)<\/li>\n<li>VMware Fusion<\/li>\n<li>VMware Cloud Foundation<\/li>\n<li>VMware Telco Cloud Platform<\/li>\n<\/ul>\n<p>Patches have been released for every affected product. In the meantime, a blog reader has pointed this out to me (thank you) and I have also received security warnings from security companies. A FAQ from Broadcom on the vulnerabilities can be found <a href=\"https:\/\/github.com\/vmware\/vcf-security-and-compliance-guidelines\/tree\/main\/security-advisories\/vmsa-2025-0004\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<h3>VMCI heap-overflow vulnerability (CVE-2025-22224)<\/h3>\n<p>The vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-22224\" target=\"_blank\" rel=\"noopener\">CVE-2025-22224<\/a> in VMware ESXi and Workstation is a Time-of-Check Time-of-Use (TOCTOU) bug that leads to an out-of-bounds write. VMware has rated the severity of this issue as critical, with a maximum CVSSv3 base score of 9.3.<\/p>\n<p>A malicious actor with local administrative privileges on a virtual machine can exploit this vulnerability to execute code as a virtual machine VMX process on the host. A patch for the affected products is available to fix the vulnerability CVE-2025-22224.<\/p>\n<h3>VMware ESXi arbitrary write vulnerability (CVE-2025-22225)<\/h3>\n<p>The vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-22225\" target=\"_blank\" rel=\"noopener\">CVE-2025-22225<\/a> affects VMware ESXi and is an arbitrary write bug that allows arbitrary writes to memory. VMware classifies the severity with a maximum CVSSv3 base score of 8.2 (important).<\/p>\n<p>A malicious actor with privileges within the VMX process can trigger an arbitrary kernel write that leads to an escape from the sandbox. A VMware ESXi update is available to address CVE-2025-22225.<\/p>\n<p>It should be patched promptly, as VMware by Broadcom has information about a possible exploitation of CVE-2025-22225 in the wild.<\/p>\n<h3>HGFS information-disclosure vulnerability (CVE-2025-22226)<\/h3>\n<p>The vulnerability <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-22226\" target=\"_blank\" rel=\"noopener\">CVE-2025-22226<\/a><\/p>\n<p>affects VMware ESXi, Workstation and Fusion. It is an Information Disclosure vulnerability that exposes information due to an out-of-bounds read in HGFS. VMware classifies the severity as \"important\" with a maximum CVSSv3 base score of 7.1.<\/p>\n<p>A malicious actor with administrative privileges to a virtual machine could potentially exploit this issue to leak memory contents from the vmx process. Patches for the affected products are available to address CVE-2025-22226.<\/p>\n<h2>Patches available<\/h2>\n<p>VMware by Broadcom has published a table with the versions of the vulnerable products and links to information on where to find the available patches in <a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/25390\" target=\"_blank\" rel=\"noopener\">Advisory VMSA-2025-0004<\/a>.\u00a0Some updates are installed by the products (e.g. VMware Workstation).<\/p>\n<blockquote><p>With VMware Workstation, however, the update fails with an error during installation on my machine. By the way, neowin.net have listed the changes in <a href=\"https:\/\/www.neowin.net\/news\/vmware-workstation-pro-free-fixes-windows-11-freezing-boot-crash-issue-and-more\/\" target=\"_blank\" rel=\"noopener\">this article<\/a>.<\/p><\/blockquote>\n<p>There are no known workarounds to close the vulnerabilities. It is advisable to update the products promptly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]As of March 4, 2025, VMware by Broadcom has published a security advisory to warn of three zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226) that have already been exploited in the wild. Patching is urgent.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22,1218],"tags":[69,195,1710],"class_list":["post-37282","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","category-virtualization","tag-security","tag-update","tag-vmware"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=37282"}],"version-history":[{"count":3,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37282\/revisions"}],"predecessor-version":[{"id":37285,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/37282\/revisions\/37285"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=37282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=37282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=37282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}