Critical VMware Vulnerabilities: CISA Mandates Immediate Patching

By /
vmware workstation fusion

Broadcom has issued urgent security updates to address three critical vulnerabilities in VMware ESXi, Workstation, and Fusion that are actively being exploited. These flaws pose significant risks, including code execution and data leaks, making it crucial for users to update their systems immediately.

Details of the Exploited VMware Vulnerabilities

The three vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact multiple VMware products. Here’s a breakdown of these security flaws:

  • CVE-2025-22224 (CVSS 9.3 – Critical): A Time-of-Check Time-of-Use (TOCTOU) flaw that allows an out-of-bounds write. Attackers with local admin privileges on a virtual machine could exploit this to execute malicious code on the host system.

  • CVE-2025-22225 (CVSS 8.2 – High): An arbitrary write vulnerability that enables attackers with access to the VMX process to escape the sandbox, potentially compromising the host machine.

  • CVE-2025-22226 (CVSS 7.1 – High): An information disclosure flaw caused by an out-of-bounds read in the HGFS system. Hackers with admin access to a virtual machine could exploit this to leak sensitive data from the host.

Affected VMware Versions

The security flaws impact the following VMware products and versions:

  • VMware ESXi 8.0 – Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300

  • VMware ESXi 7.0 – Fixed in ESXi70U3s-24585291

  • VMware Workstation 17.x – Fixed in version 17.6.3

  • VMware Fusion 13.x – Fixed in version 13.6.3

  • VMware Cloud Foundation 5.x – Requires an async patch to ESXi80U3d-24585383

  • VMware Cloud Foundation 4.x – Requires an async patch to ESXi70U3s-24585291

  • VMware Telco Cloud Platform (Versions 5.x, 4.x, 3.x, 2.x) – Fixed in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d

  • VMware Telco Cloud Infrastructure (Versions 3.x, 2.x) – Fixed in ESXi 7.0U3s

Active Exploitation Confirmed

Broadcom has confirmed that these vulnerabilities are being exploited in real-world attacks but has not disclosed specific details about the threat actors or attack methods. Microsoft Threat Intelligence Center is credited with discovering and reporting the vulnerabilities.

According to VMware, attackers who have already compromised a virtual machine with administrator or root privileges could escalate their attack, moving from the guest OS to the hypervisor itself. This increases the risk of broader system compromise, making patching essential.

CISA Adds VMware Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply patches by March 25, 2025.

CISA’s inclusion of these VMware flaws in its KEV list highlights the urgency of mitigation, as they pose a severe threat to cloud and enterprise environments using VMware products.

cisa

Why Immediate Patching is Critical

Organizations running VMware ESXi, Workstation, or Fusion must prioritize patching to prevent potential security breaches. Since attackers are already exploiting these vulnerabilities, delaying updates could result in:

  • Unauthorized access to virtual environments

  • Data breaches and leakage of sensitive information

  • Increased risk of lateral movement within networks

  • Disruption of critical services relying on VMware infrastructure

Secure VMware Systems

To protect your VMware infrastructure from these active exploits, take the following steps:

  1. Apply the latest patches: Download and install Broadcom’s security updates for your VMware product version.

  2. Monitor for suspicious activity: Check system logs for signs of unauthorized access or exploitation attempts.

  3. Restrict admin privileges: Limit access to virtual machines and ensure only trusted users have administrative rights.

  4. Use network segmentation: Isolate virtualized environments to minimize the risk of an attacker spreading within the network.

  5. Follow VMware’s security best practices: Regularly review official VMware security advisories and implement recommended configurations.

Conclusion

The active exploitation of these VMware vulnerabilities poses a serious risk to businesses and cloud infrastructure. Given the critical nature of these flaws, immediate patching is the best defense. Organizations should not delay updates and must take proactive measures to secure their VMware environments against potential cyber threats.

For more details and patching instructions, visit VMware’s official security advisory page.

 

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Critical Paragon Driver Flaw (CVE-2025-0289) Used in Ransomware Campaigns

Scroll to Top