Broadcom published a critical security advisory (VMSA-2025-0004) on March 4, 2025, about three new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion.
The most severe of the vulnerabilities is CVE-2025-22224, a critical vulnerability in ESXi and Workstation. Notably, these are not remotely exploitable vulnerabilities – they require an attacker to have existing privileged access on a VM that is running on an affected VMware hypervisor.
The three zero-day vulnerabilities are:
- CVE-2025-22224 (CVSS 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine’s VMX process running on the host.
- CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
- CVE-2025-22226 (CVSS 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that arises from an out-of-bounds read in the Host Guest File System (HGFS). An attacker with administrative privileges to a virtual machine could exploit this issue to leak memory from the VMX process.
All three vulnerabilities were reported to Broadcom by Microsoft Threat Intelligence Centre. Broadcom’s advisory indicates for all three CVEs that Broadcom “has information to suggest that exploitation has occurred in the wild.” Shortly after Broadcom published their advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) added all three CVEs to the Known Exploited Vulnerabilities (KEV) list.
Based on the information in the advisory, it appears that the three vulnerabilities can be chained together.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself,” the advisory reads.
There is no known public exploit code for any of the CVEs at time of publication. Nevertheless, given that ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries, Rapid7 recommends applying vendor-supplied fixes on an expedited basis.
The following products are vulnerable to CVE-2025-2224, CVE-2025-22225, and CVE-2025-2226:
- Broadcom VMware ESXi 7.0 and 8.0;
- Broadcom VMware Cloud Foundation 4.5.x and 5.x;
- Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x; and
- Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x.
- Broadcom VMware Workstation 17.x.
- Broadcom VMware Fusion 13.x.
For the most complete information on affected and fixed versions is available via Broadcom’s advisory and FAQ.
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 on Broadcom VMware ESXi hypervisors, Fusion, and Workstation products with vulnerability checks expected to be available in March 4’s content release.
