Broadcom Fixes Three VMware Zero-Days Exploited in Attacks
Broadcom has issued a warning to its customers about three critical VMware zero-days that have been exploited in recent attacks. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, affect various VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
Attackers with privileged administrator or root access can chain these flaws to escape the virtual machine's sandbox, allowing them to move from the guest OS into the hypervisor itself. This is a serious situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could potentially exploit these vulnerabilities to gain unauthorized control over the system.
Broadcom has confirmed that exploitation of these issues has occurred "in the wild," highlighting the urgency with which customers must address these vulnerabilities. The company has provided detailed information about each vulnerability, including CVE-2025-22224, a critical-severity VCMI heap overflow vulnerability that enables local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host.
CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape. Meanwhile, CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with admin permissions to leak memory from the VMX process.
The vulnerabilities are particularly concerning given VMware's widespread use in enterprise operations, which often involve storing or transferring sensitive corporate data. As a result, ransomware gangs and state-sponsored hacking groups have targeted these vulnerabilities in recent attacks.
Most recently, Broadcom warned in November that attackers were actively exploiting two VMware vCenter Server vulnerabilities that were patched in September. One allows privilege escalation to root (CVE-2024-38813), while the other is a critical remote code execution flaw (CVE-2024-38812) reported during China's 2024 Matrix Cup hacking contest.
Additionally, Broadcom revealed in January 2020 that Chinese state hackers had exploited a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021 to deploy VirtualPita and VirtualPie backdoors on vulnerable ESXi hosts.
The Implications for VMware Customers
Customers using VMware ESX products must take immediate action to address these vulnerabilities. This includes applying the latest security patches, ensuring that all systems are up-to-date, and implementing additional security measures to prevent exploitation of these vulnerabilities.
VMware customers should also be aware of the potential risks associated with these vulnerabilities, including the possibility of ransomware attacks or other types of cyber threats. By staying informed and taking proactive steps to secure their systems, VMware customers can minimize the risk of these vulnerabilities being exploited in future attacks.
The Larger Context
The recent discovery of these three VMware zero-days highlights the ongoing threat landscape for enterprise systems. As more organizations rely on cloud-based infrastructure and virtualization technology, the potential for exploitation of vulnerabilities such as these is likely to increase.
Moreover, the use of exploits like these in targeted attacks underscores the growing importance of cybersecurity awareness and incident response planning. By staying vigilant and taking proactive steps to secure their systems, organizations can better protect themselves against the evolving threat landscape.