Broadcom has launched safety updates to deal with three actively exploited safety flaws in VMware ESXi, Workstation, and Fusion merchandise that would result in code execution and knowledge disclosure.
The listing of vulnerabilities is as follows –
- CVE-2025-22224 (CVSS rating: 9.3) – A Time-of-Examine Time-of-Use (TOCTOU) vulnerability that results in an out-of-bounds write, which a malicious actor with native administrative privileges on a digital machine may exploit to execute code because the digital machine’s VMX course of operating on the host
- CVE-2025-22225 (CVSS rating: 8.2) – An arbitrary write vulnerability {that a} malicious actor with privileges throughout the VMX course of may exploit to end in a sandbox escape
- CVE-2025-22226 (CVSS rating: 7.1) – An info disclosure vulnerability as a result of an out-of-bounds learn in HGFS {that a} malicious actor with administrative privileges to a digital machine may exploit to leak reminiscence from the vmx course of
The shortcomings affect the beneath variations –
- VMware ESXi 8.0 – Fastened in ESXi80U3d-24585383, ESXi80U2d-24585300
- VMware ESXi 7.0 – Fastened in ESXi70U3s-24585291
- VMware Workstation 17.x – Fastened in 17.6.3
- VMware Fusion 13.x – Fastened in 13.6.3
- VMware Cloud Basis 5.x – Async patch to ESXi80U3d-24585383
- VMware Cloud Basis 4.x – Async patch to ESXi70U3s-24585291
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x – Fastened in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d
- VMware Telco Cloud Infrastructure 3.x, 2.x – Fastened in ESXi 7.0U3s
In a separate FAQ, Broadcom acknowledged that it has “info to counsel that exploitation of those points has occurred ‘within the wild,’ but it surely didn’t elaborate on the character of the assaults or the id of the risk actors which have weaponized them.
The virtualization companies supplier credited the Microsoft Risk Intelligence Heart for locating and reporting the bugs. In mild of energetic exploitation, it is important that customers apply the most recent patches for optimum safety.
Replace
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added the three zero-day vulnerabilities to its Identified Exploited Vulnerabilities (KEV) catalog, requiring federal civilian businesses to patch them by March 25, 2025.
“This can be a state of affairs the place an attacker who has already compromised a digital machine’s visitor OS and gained privileged entry (administrator or root) may transfer into the hypervisor itself,” VMware added.