ESXicape: Broadcom Reveals Three Critical VMware Zero-Day Vulnerabilities

On March 4, 2025, Broadcom issued a critical security advisory warning customers about three zero-day vulnerabilities affecting VMware products that are currently being actively exploited in the wild. These vulnerabilities, which can be chained together to allow attackers to escape virtual machine sandboxes and compromise host systems, require immediate attention from organizations running VMware environments.

 The Vulnerabilities

The three vulnerabilities, discovered and reported by Microsoft Threat Intelligence Center, affect multiple VMware products including ESXi, Workstation, and Fusion:

1. CVE-2025-22224 (CVSS score: 9.3): A critical Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that leads to a heap overflow and out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine can exploit this to execute code as the VMX process running on the host.
2. CVE-2025-22225 (CVSS score: 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape.
3. CVE-2025-22226 (CVSS score: 7.1): An information disclosure vulnerability affecting VMware ESXi, Workstation, and Fusion. This flaw stems from an out-of-bounds read in the Host Guest File System (HGFS) and allows an attacker with administrative privileges on a virtual machine to leak memory from the VMX process.

 Attack Chain and Risk Assessment

These vulnerabilities are particularly concerning because they can be chained together to create a powerful attack sequence. While each vulnerability requires the attacker to already have administrative-level access within a guest VM, they enable substantially more dangerous capabilities when exploited.

The typical attack chain would look like this:

1. First, an attacker gains administrative access to a virtual machine.
2. Using CVE-2025-22226, they can leak memory from the VMX process to gather useful information.
3. With CVE-2025-22224, they can execute code as the VMX process on the host.
4. Finally, exploiting CVE-2025-22225 allows them to escape the sandbox completely by writing to the kernel.

The potential impact of successful exploitation includes:

• Complete compromise of the hypervisor
• Access to all virtual machines running on the affected host
• Exposure of sensitive data, encryption keys, and customer information
• Deployment of stealthy backdoors or ransomware
• Ability to reconfigure the hypervisor and move laterally across systems

Patrick Tiquet, VP of Security and Architecture at Keeper Security, notes: “Administrator access inside a virtual machine is dangerous, but it doesn’t automatically give an attacker full control over the entire environment. These vulnerabilities allow attackers to break out of that VM and compromise the underlying hypervisor, putting all other VMs at risk.”

 Affected Products

The following products are vulnerable to the exploits:

• VMware ESXi 7.0 and 8.0
• VMware Workstation 17.x
• VMware Fusion 13.x
• VMware Cloud Foundation 4.5.x and 5.x
• VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
• VMware Telco Cloud Infrastructure 3.x and 2.x

 Mitigation Steps

Broadcom has released patches for all affected systems and strongly urges “prompt action” from impacted organizations. There are no available workarounds for these vulnerabilities, making patching the only effective mitigation strategy.

To remediate the vulnerabilities:

1. For VMware ESXi 8.0: Apply ESXi80U3d-24585383 or ESXi80U2d-24585300 patches
2. For VMware ESXi 7.0: Apply ESXi70U3s-24585291 patch
3. For VMware Workstation: Update to version 17.6.3
4. For VMware Fusion: Update to version 13.6.3
5. For VMware Cloud Foundation and Telco Cloud Platform: Follow the async patching guides referenced in Broadcom’s advisory

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added all three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch by March 25, 2025, or to stop using affected products until the flaws are fixed.

 Why These Vulnerabilities Matter

Virtualization technologies like VMware ESXi represent critical infrastructure for many organizations and are high-value targets for both financially motivated cybercriminals and well-resourced advanced persistent threat (APT) groups.

In recent years, ransomware gangs have shown a particular interest in targeting VMware vulnerabilities. Last year, multiple ransomware groups quickly exploited an authentication bypass vulnerability in ESXi to deploy ransomware like Akira and Black Basta on virtual machines. The ESXIArgs campaign in 2023, where ransomware operators encrypted ESXi hypervisors across thousands of servers globally, is another prominent example.

 How CinchOps Can Help

At CinchOps, we understand the critical nature of these vulnerabilities and the urgency required to address them. Our team can assist your organization with:

1. Rapid Vulnerability Assessment: We can quickly identify affected VMware systems in your environment and determine their patch status.
2. Prioritized Remediation: Our experts will help you develop and implement a strategic patching plan that minimizes operational disruption while addressing the most critical risks first.
3. Environment Hardening: Beyond just patching, we can help implement additional security controls and least-privilege access models to reduce the risk of future exploits.
4. Ongoing Monitoring: Our continuous monitoring services can detect unusual activities that might indicate attempted exploitation of these or other vulnerabilities.
5. Incident Response Support: If you suspect your systems may have already been compromised, our incident response team can help investigate and remediate.

Don’t wait until it’s too late. These zero-day vulnerabilities represent a serious risk to your virtual infrastructure and the sensitive data it contains.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page. Contact CinchOps today to ensure your VMware environment is protected against these active threats.