On March 4, 2025, Broadcom issued a significant security advisory revealing three new zero-day vulnerabilities impacting various VMware products, including ESXi, Workstation, and Fusion. The most critical of these is CVE-2025-22224, which affects ESXi and Workstation. Although these vulnerabilities are not remotely exploitable, they require an attacker to have existing privileged access on a virtual machine running on a compromised VMware hypervisor.

Details of the Vulnerabilities

The vulnerabilities identified in the advisory pose serious risks to affected systems. Each vulnerability has distinct characteristics and potential impacts, which are crucial for cybersecurity professionals to understand.

CVE-2025-22224: TOCTOU Vulnerability

This vulnerability is a Time-of-Check Time-of-Use (TOCTOU) flaw in VMware ESXi and Workstation, leading to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine can exploit this flaw to execute code as the VMX process on the host. This vulnerability has a CVSS score of 9.3, indicating its critical nature.

CVE-2025-22225: Arbitrary Write Vulnerability

With a CVSS score of 8.2, this vulnerability allows attackers with privileges within the VMX process to perform arbitrary kernel writes, potentially escaping the sandbox. This flaw is specific to VMware ESXi.

CVE-2025-22226: Information Disclosure Vulnerability

This vulnerability, scoring 7.1 on the CVSS scale, involves an out-of-bounds read in the Host Guest File System (HGFS) of VMware ESXi, Workstation, and Fusion. Attackers with administrative access to a virtual machine could exploit this to leak memory from the VMX process.

  • Key Point 1: All three vulnerabilities require privileged access to exploit.
  • Key Point 2: These vulnerabilities have been reportedly exploited in the wild.

Implications and Recommendations

The vulnerabilities were reported to Broadcom by the Microsoft Threat Intelligence Center, and Broadcom's advisory suggests that exploitation has occurred in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to their Known Exploited Vulnerabilities list. It is critical for organizations using affected VMware products to apply the vendor-supplied patches promptly to mitigate potential risks.

Affected Products

The following products are vulnerable to CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226:

  • Broadcom VMware ESXi 7.0 and 8.0
  • Broadcom VMware Cloud Foundation 4.5.x and 5.x
  • Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
  • Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x

Products vulnerable to CVE-2025-22224 and CVE-2025-22226 include:

  • Broadcom VMware Workstation 17.x

The following product is vulnerable to CVE-2025-22226:

  • Broadcom VMware Fusion 13.x
The link has been copied!