(TLP:CLEAR) Multiple Vulnerabilities in VMware ESXi, Workstation, and Fusion Could Allow for Local Code Execution

Summary: On March 3, 2025, Broadcom patched three actively exploited vulnerabilities, all of which threat actors are actively exploiting, affecting VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure. These vulnerabilities affect VMware ESXi versions 7.0 and 8.0, VMware Workstation 17.x, and VMware Fusion 13.x. CISA added all three to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday.

The vulnerabilities are:

• CVE-2025-22224 – a Time-of-Check Time-of-Use (TOCTOU) flaw that causes an out-of-bounds write. Successful exploitation could allow attackers with local administrative privileges on a virtual machine to execute code as the VMX process on the host.
• CVE-2025-22225 – an arbitrary write vulnerability that could allow an attacker within the VMX process to escape the sandbox.
• CVE-2025-22226 – an out-of-bounds read in the Host Guest File System (HGFS), allowing attackers with administrative privileges on a virtual machine to leak memory from the VMX process

Analyst Note: Several cybersecurity experts have observed that both cybercriminals and state-sponsored groups have previously exploited VMware vulnerabilities to gain long-term access to organizations. In a corresponding FAQ, VMware said the vulnerabilities would qualify as an emergency change, requiring prompt action from organizations. VMware noted exploiting this vulnerability does require administrator/root privileges on a guest operating system, so there are other layers of defenses that can help if they are in place. There are no other meaningful workarounds that do not involve updating and restarting VMware ESX. The FAQ includes a lengthy list of specific information based on the kind of VMware tool customers are using.

Utilities that outsource technology support are encouraged to consult with their support vendors to confirm the mitigations and workarounds provided by VMware are being followed as appropriate.

Original Source: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Additional Reading:

• VMWare FAQ
• CISA, VMware warn of new vulnerabilities being exploited by hackers

Mitigation Recommendations:

• VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

Related WaterISAC PIRs: 6, 8, 10