Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Network infrastructure giant release updates addressing critical vulnerabilities in VMware ESXi, Workstation, and Fusion products.
Broadcom has released a swathe of updates addressing three new zero-day vulnerabilities in several of its VMware ESXi products.
CVE-2025-22224 is a Time-of-Check Time-of-Use vulnerability in VMware ESXi, and Workstation that could lead to an out-of-bounds write, which would allow anyone with established administrative privileges to execute code via the virtual machine's VMX process.
CVE-2025-22225 an arbitrary write vulnerability in VMware ESXi that could allow a malicious actor – again only with previously established privileges – to trigger an arbitrary kernel write which in turn could lead to a sandbox breakout.
Finally, CVE-2025-22226 is an information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that could allow an actor with admin privileges to leak memory from the vmx process.
There are no known workarounds to these vulnerabilities, however, patches are available for all impacted products.
Unfortunately, according to Broadcom, the company “has information to suggest that exploitation has occurred in the wild,” and CISA has already added all three CVEs to its list of Known Exploited Vulnerabilities.
It also appears that the three vulnerabilities can be chained together.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself,” Broadcom said in its advisory.
In its own report on the vulnerabilities, cyber security firm Rapid7 has suggested Broadcom customers should act quickly.
“There is no known public exploit code for any of the CVEs at time of publication,” Rapid7 said in an overnight blog post.
“Nevertheless, given that ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries, Rapid7 recommends applying vendor-supplied fixes on an expedited basis.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
