VMware Fixes Three Actively Exploited Zero-Days in ESX Products
Broadcom has taken decisive action to address three VMware zero-day vulnerabilities in its ESX products, which are currently being actively exploited in the wild. The security updates, released on March 4, 2025, aim to prevent threat actors from chaining these vulnerabilities to escape the sandbox within virtual machines.
The Vulnerabilities
Researchers at Microsoft Threat Intelligence Center discovered three critical vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These flaws impact multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
The vulnerabilities allow an attacker with privileged administrator or root access to exploit the system, potentially leading to a "VM Escape" – a situation where an attacker gains access to the hypervisor itself after compromising a virtual machine's guest operating system.
Exploitation in the Wild
Broadcom has confirmed that exploitation of these three flaws has occurred in the wild. The company states: "We have information to suggest that exploitation of these issues has occurred 'in the wild.' This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself."
However, Broadcom has not disclosed specific details about the attacks or the threat actors behind them. The company has released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, to address these security vulnerabilities and prevent further exploitation.
Conclusion
VMware's timely response to these actively exploited zero-days is a testament to the importance of regular security updates and vulnerability patching. As threat actors continue to evolve and exploit new vulnerabilities, it is essential for organizations to stay vigilant and ensure their virtual environments are up-to-date with the latest security patches.
Stay Informed
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.