Broadcom issued a security alert on Tuesday morning concerning three critical zero-day vulnerabilities that affect VMware products, including ESXi, Workstation, and Fusion. The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have been actively exploited in the wild, prompting Broadcom to release patches for each affected product. However, no workarounds are available, leaving users to rely on the patches to mitigate the risks associated with these vulnerabilities.
The flaws have the potential to allow attackers to execute arbitrary code, escape virtual machine (VM) sandboxes, and leak sensitive information, which poses a severe threat to system security and the integrity of virtualized environments.
CVE-2025-22224 is identified as a critical vulnerability in the VMCI (Virtual Machine Communication Interface) component of VMware ESXi and Workstation. It is classified as a heap overflow issue, and it allows attackers with local administrator privileges on a virtual machine to execute arbitrary code within the VMX process running on the host system.
This means that an attacker could potentially gain control of the hypervisor itself, which is a highly privileged environment that manages multiple virtual machines. The impact of such an exploit could be disastrous, as it would allow the attacker to take control of the host and any other VMs running on it, effectively compromising the entire virtualized infrastructure.
The second vulnerability, CVE-2025-22225, affects VMware ESXi and is a high-severity flaw that allows attackers to trigger an arbitrary kernel write.
This vulnerability arises within the VMX process and allows attackers who have privileges within a compromised VM to execute arbitrary code on the host system, leading to a VM escape. A VM escape occurs when an attacker is able to break out of the confines of a virtual machine and gain access to the underlying host system. This poses a significant risk, as attackers could then compromise the entire host, access sensitive data, and potentially move laterally within the network. Such an exploit would give attackers greater control and could enable a wide range of malicious activities, such as data exfiltration or the installation of additional malware.
CVE-2025-22226 is the third vulnerability and is related to an out-of-bounds read bug in the HGFS (Host-Guest File System) component of VMware ESXi, Workstation, and Fusion.
This issue allows attackers with administrative privileges in a virtual machine to leak memory from the VMX process. The information disclosure flaw could result in the exposure of sensitive information stored in the host system’s memory, including authentication tokens and other critical data. While there have been no reports of widespread exploitation, Broadcom and Microsoft Threat Intelligence Center, which helped identify the vulnerabilities, caution that the flaws may be exploited in targeted attacks.
These attacks likely involve a multi-stage process where attackers first compromise a VM before exploiting the vulnerabilities to gain access to the host system and potentially exfiltrate sensitive data.
At present, there is no public evidence indicating that these zero-day vulnerabilities have been widely exploited. However, Broadcom suggests that because these vulnerabilities require elevated privileges to exploit, they are likely being used in more targeted attacks, possibly following an initial compromise of the victim’s system. Broadcom’s analysis indicates that these flaws could lead to a VM escape, wherein an attacker gains privileged access to the hypervisor environment and can compromise both the host system and the virtual machines running on it.
