The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step in protecting the nation's critical infrastructure by adding several high-risk vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, including those in Linux kernel and VMware ESXi/Workstation products, pose a substantial threat to organizations that fail to address them promptly.

The first vulnerability added to the KEV catalog is CVE-2024-50302, a critical Linux kernel issue tracked by Google. This vulnerability was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. However, earlier this year, researchers from the Security Lab revealed evidence of a Cellebrite zero-day exploit chain that demonstrated the vulnerability's potential for exploitation. Following this discovery, Google identified three vulnerabilities linked to CVE-2024-50302.

CVE-2024-50302 was patched in Android’s February 2025 update, while CVE-2024-53104 was also addressed in the same update. However, CVE-2024-53197 and CVE-2024-50302 (with a CVSS score of 5.5) are still pending patching in the Linux kernel but have been fixed in Android. In a disturbing turn of events, Amnesty International reported that CVE-2024-50302 was likely used by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist.

Meanwhile, Broadcom has released security updates to address three VMware zero-day vulnerabilities in ESX products that are actively exploited in the wild. The flaws, respectively tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, impact multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Researchers from Microsoft Threat Intelligence Center discovered these vulnerabilities.

According to Broadcom, an attacker with privileged administrator or root access can chain these vulnerabilities to escape the sandbox within the virtual machine. The company has confirmed that it has information suggesting that exploitation of these three flaws has occurred in the wild. "On March 4, 2025, Broadcom released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine" states the company.

In simple terms, this means that an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself. While Broadcom has not disclosed specific details about the attacks or the threat actors behind them, it is clear that these vulnerabilities pose a significant risk to organizations that fail to address them promptly.

As part of its efforts to protect federal agencies and private organizations alike, CISA has ordered federal agencies to fix this vulnerability by March 25, 2025. Meanwhile, experts recommend that private organizations review the KEV catalog and address these vulnerabilities in their infrastructure to prevent potential attacks.

If you are an organization that relies on VMware ESXi or Workstation products, it is essential to take immediate action to patch these vulnerabilities. Failure to do so may put your network at risk of exploitation by threat actors who have already demonstrated the ability to chain these vulnerabilities. Stay vigilant and stay informed about emerging security threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon