On 4 March 2025, Broadcom released patches for three zero-day vulnerabilities exploited in the wild, affecting ESXi, Workstation, and Fusion. These vulnerabilities, discovered by Microsoft, range in severity from high to critical.?
| Vulnerability?? | CVSS? | Description? |
| CVE-2025-22224? | 9.3? | A critical TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMware ESXi and Workstation that allows a threat actor with local administrative privileges on a virtual machine to achieve code execution as the VMX process on the host.? |
| CVE-2025-22225? | 8.2? | A high-severity arbitrary write vulnerability in VMware ESXi that allows a threat actor with VMX process privileges to perform arbitrary kernel writes, potentially leading to a sandbox escape.? |
| CVE-2025-22226? | 7.1? | A high-severity information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that allows a threat actor with administrative privileges on a virtual machine to leak memory from the VMX process via an out-of-bounds read in the Host Guest File System (HGFS).? |
Details of the exploitation have not been revealed at this time, and Arctic Wolf has not identified a public Proof-of-Concept (PoC) exploit. While these vulnerabilities require specific privileges for exploitation, threat actors have historically targeted ESXi, Workstation, and Fusion, with several vulnerabilities listed in CISA¡¯s Known Exploited Vulnerabilities catalog.?
Recommendation?
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest patched version of their respective VMware product.?
| Product? | Vulnerability? | Affected Version? | Fixed Version? |
| VMware ESXi? |
|
|
|
| VMware Workstation? |
|
|
|
| VMware Fusion? |
|
|
|
| VMware Cloud Foundation? |
|
|
|
| VMware Telco Cloud ºÚÁÏÉç? |
|
|
|
| VMware Telco Cloud Infrastructure? |
|
|
|
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.?
References?
Resources
