Three critical VMware zero-days could let attackers escape virtual machines and seize control – raising alarms of cyber espionage and deep infiltration.
Broadcom, the American semiconductor and infrastructure software giant, has released a security alert warning about three critical zero-day vulnerabilities in VMware, the company’s virtual machine (VM) software.
The Microsoft Threat Intelligence Center reportedly disclosed all three vulnerabilities to Broadcom. The company claims that available information suggests the bugs are being actively exploited “in the wild.”
The company is urging all customers to apply updates that patch the vulnerabilities. While Broadcom support states that the situation is serious and should be addressed as an emergency, the specific response timing depends on “unique circumstances.”
Soon after Broadcom released its advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) included all three CVEs in the Known Exploited Vulnerabilities (KEV) list.
What vulnerabilities were discovered and what could they do?
CVE-2025-22224 is the most critical vulnerability of the three. It’s a VMCI heap overflow vulnerability affecting VMware ESXi and Workstation. An attacker with admin access to a VM could exploit this to run malicious code on the host system, the physical machine running the VM. This means they could potentially break out of the VM and control the host.
CVE-2025-22225 affects VMware ESXi and is a highly severe arbitrary file write vulnerability. By exploiting the vulnerability, an attacker who has access to the VMX process (which manages VMs on VMware ESXi) could write to the system's kernel, breaking out of the virtual machine sandbox. This could let them take control of the host machine from inside a VM.
CVE-2025-22226 is a critical vulnerability that affects VMware ESXi, Workstation, and Fusion. This security flaw leaks memory from the VMX process, meaning an attacker with admin access to a VM could potentially read sensitive data from the host systems.
What Broadcom products were affected:
- Broadcom VMware ESXi 7.0 and 8.0
- Broadcom VMware Cloud Foundation 4.5.x and 5.x
- Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
- Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x
- Broadcom VMware Workstation 17.x
- Broadcom VMware Fusion 13.x
Why are these vulnerabilities dangerous?
The discovered vulnerabilities are raising concerns among cybersecurity experts.
Patrick Tiquet, vice president of security and architecture at Keeper Security, told Cybernews that both cybercriminals and state-sponsored groups have exploited VMware vulnerabilities to establish long-term persistence.
“These VMware flaws are a serious risk because they allow attackers to break out of a compromised VM and take control of the underlying host system,” he said.
“The danger here is that once attackers gain access at this level, they can spread across the entire system, steal data, and install backdoors to maintain access. With confirmed exploitation in the wild, organizations must take immediate action.”
Jason Soroko, Senior Fellow at Sectigo, an SSL certificate provider, has told Cybernews that the attackers exploiting such vulnerabilities are highly skilled, often backed by governments or part of advanced hacking groups (APTs).
They have the resources to break through initial defenses and aim to dig deep into virtualized systems. Their goals? Staying hidden for long-term access, sneaking past security barriers, spreading within the network, stealing sensitive data, planting more malware, or causing service disruptions.
“Although the three vulnerabilities share the goal of escaping the virtual machine sandbox to compromise the hypervisor, they differ technically. Their varied profiles give attackers multiple options. One flaw can be exploited independently, or they can be chained to build a more robust attack path, increasing the chance of a successful breach,” Soroko explained.
VM software is full of vulnerabilities
In January 2024, Broadcom disclosed that Chinese state-sponsored hackers had been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021, using it to install VirtualPita and VirtualPie backdoors on compromised ESXi hosts.
In September 2024, the company patched an even more severe vulnerability than the currently disclosed one affecting its VM software. The vulnerability affected VMware Fusion, a macOS hypervisor used for running virtual machines, allowing attackers to execute arbitrary code.
Microsoft has warned that multiple ransomware operators are exploiting another VMware ESXi Authentication Bypass Vulnerability. Despite the patch being available, ransomware operators are still capitalizing on it.
Broadcom also warned that attackers were actively exploiting two VMware vCenter Server vulnerabilities that were patched in September. One vulnerability (CVE-2024-38813) enables privilege escalation to root, while the other (CVE-2024-38812) is a critical remote code execution flaw discovered during China’s 2024 Matrix Cup hacking competition.
Your email address will not be published. Required fields are markedmarked