Hacking Contest Exposes VMware Security
The recent Pwn2Own hacking contest in Berlin has revealed three successful attacks on the VMware hypervisor, exposing vulnerabilities that could be exploited by malicious actors. The cybersecurity team at Broadcom acknowledged these breaches and has announced plans to publish a VMware Security Advisory to provide information on updates for affected products.
Nguyen Hoang Thach, a security researcher from Star Labs, successfully exploited VMware ESXi on March 16, marking the first time the hypervisor was breached in the Pwn2Own hacking event. This exploit involved a single integer overflow attack, which is a type of vulnerability that can be exploited to gain unauthorized access to a system.
On March 17, Corentin Bayet, chief technology officer of Reverse Tactics, successfully chained two vulnerabilities to exploit ESXi. One of the vulnerabilities used in the exploit was already known, highlighting the importance of keeping software up-to-date and patching security holes.
The third successful attack was carried out by Thomas Bouzerar and Etienne Helluy-Lafont, security experts from Synacktiv, who managed to successfully exploit VMware Workstation. These breaches demonstrate the severity of VMware's security vulnerabilities and highlight the need for prompt action to address these issues.
Remediation Efforts Underway
The team at Broadcom is actively working on remediation efforts and has committed to providing patches for zero-day exploits. However, some VMware users may be left vulnerable due to Broadcom's current strategy of moving customers onto VMware Cloud Foundation subscription bundles.
This shift in strategy may leave some users with gaps in their security, especially if their support contract is up for renewal. The company has informed customers that it will no longer renew support contracts for VMware products purchased on a perpetual licence basis and that support will only continue for those that move to a VMware subscription.
Critical Security Advisory Issued
Broadcom issued a critical security advisory, CVE-2025-22249, which affects the Aria toolset. The Cybersecurity Centre for Belgium warned that this vulnerability could be exploited through a phishing attack if a VMware admin clicked on a malicious URL link, giving the threat actor full control of their account and allowing them to perform any actions with the user's rights.
The advisory noted that the vulnerability has a severe impact on confidentiality but only a low impact on integrity. VMware users are urged to patch immediately, as patches for Aria Automation 8.18.x and version 5.x and 4.x of VMware Cloud Foundation have been issued, but no workarounds are available for older versions.
Cease-and-Desist Emails to Perpetual VMware License Holders
There have been reports that many VMware customers have received cease-and-desist emails from Broadcom regarding their perpetual VMware licenses. These emails demand the removal of patches and bug fixes that may have been installed, leaving users vulnerable to exploitation.
The lack of available workarounds for older versions of the Aria toolset has raised questions about how widely these patches will be distributed, putting more pain for VMware users who are unable to keep their software up-to-date.