Broadcom has issued a security alert warning VMware customers about three zero-day vulnerabilities attackers are actively exploiting in the wild. The flaws – CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 – impact VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
The VMware Nightmare: What You Need to Know
Broadcom’s advisory states that CVE-2025-22224, the most severe of the three with a CVSS score of 9.3, is a critical VMCI heap overflow vulnerability impacting VMware ESXI and Workstation. Attackers with local administrative privileges on a virtual machine (VM) can exploit this vulnerability to execute code as the virtual machine’s VMX proves running the host.
CVE-2025-22225 is a high-severity arbitrary file write vulnerability with a CVSS score of 8.2 affecting VMware ESXi. If exploited, it allows attackers with privileges inside the VMX process to trigger an arbitrary kernel write, potentially leading to an escape from the VM’s sandbox.
CVE-2025-22226 is also a high-severity flaw. It has a CVSS base score of 7.1 and impacts VMware ESXi, Workstation, and Fusion. Caused by an out-of-bounds read bug in the HGFS component, the vulnerability allows attackers with administrative privileges to VM to leak memory from the VMX process.
Broadcom has confirmed that attackers have exploited all three vulnerabilities and urged organizations to take immediate action.
Expert Reactions
Security experts have raised concerns over the severity of these exploits and their potential for widespread impact. Patrick Tiquet, Vice President of Security & Architecture at Keeper Security, emphasized that these vulnerabilities allow attackers to break out of a compromised VM and take control of the underlying host system.
“With confirmed exploitation in the wild, organizations must take immediate action,” he warned, noting that both cybercriminals and state-sponsored groups have historically targeted VMware vulnerabilities to maintain long-term persistence.
Jason Soroko, Senior Fellow at Sectigo, highlighted the risk posed by these flaws, noting that attackers could chain them together for a more robust attack path. “Their varied profiles give attackers multiple options. One flaw can be exploited independently, or they can be combined to increase the chances of a successful breach,” he said.
Chris Gray, Field CTO at Deepwatch, warned that incomplete patching leaves systems vulnerable, particularly given VMware’s dominant position in the virtualization market. “These specific zero-day exploits can be chained together by attackers, allowing them to escalate privileges and potentially achieve administrative control of the hypervisor,” Gray explained, adding that virtualization platforms remain attractive targets due to their complex and interconnected systems.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.