VMware Security Flaws Actively Exploited: Broadcom Releases Emergency Patches

After confirming that three critical vulnerabilities are actively exploited in the wild, Broadcom has released urgent security updates for several VMware products. The defects affect the most popular virtualization software using such as VMware ESXi, Workstation, and Fusion and may give attackers the capability to escape virtual machines, run arbitrary code, and read the host's sensitive memory.

Due to the gravity of these vulnerabilities and their being exploited in the real world, it is highly recommended that organizations with affected VMware environments implement the latest patches without delay.

Overview of the Actively Exploited VMware Vulnerabilities

Broadcom disclosed the vulnerabilities under the following CVE identifiers, each posing a serious threat to virtualization security:

CVE-2025-22224 (CVSS: 9.3 – Critical)

It's a Time-of-Check Time-of-Use (TOCTOU) security loophole that leads to an out-of-bounds write vulnerability.

A malicious user with local admin rights within a virtual machine could take advantage of this defect to run code as the VMX process on the host machine, thus successfully defeating the isolation between the guest and host systems.

CVE-2025-22225 (CVSS: 8.2 – High)

The VMX process is susceptible to arbitrary write due to this vulnerability. A nefarious user with access to the VMX process could exploit this vulnerability to break out of the VMware sandbox, perhaps acquiring illicit access to the hypervisor below.

CVE-2025-22226 (CVSS: 7.1 – High)

A flaw in the HGFS (Host-Guest File System) module that allows out-of-bounds reading could grant a hacker with guest VM's administrative rights the possibility to extract and leak sensitive memory data from the VMX process thereby causing disclosure of information.

Affected VMware Products and Fixed Versions

The vulnerabilities impact a wide range of VMware products. Broadcom has released patches for the following versions:

VMware ESXi

• ESXi 8.0 – Fixed in
  

• ESXi80U3d-24585383
  

• ESXi80U2d-24585300
  

• ESXi 7.0 – Fixed in
  

• ESXi70U3s-24585291
  

VMware Desktop Products

• VMware Workstation 17.x – Fixed in 17.6.3
  

• VMware Fusion 13.x – Fixed in 13.6.3
  

VMware Cloud & Telco Platforms

• VMware Cloud Foundation 5.x – Async patch to ESXi80U3d-24585383
  

• VMware Cloud Foundation 4.x – Async patch to ESXi70U3s-24585291
  

• VMware Telco Cloud Platform (5.x, 4.x, 3.x, 2.x) – Fixed in
  

• ESXi 7.0U3s
  

• ESXi 8.0U2d
  

• ESXi 8.0U3d
  

• VMware Telco Cloud Infrastructure (3.x, 2.x) – Fixed in ESXi 7.0U3s
  

Active Exploitation Confirmed in the Wild

Broadcom has stated in a different FAQ that they have firm evidence suggesting the exploitation of these vulnerabilities in actual attacks. Nevertheless, the firm did not elaborate on the techniques used in the incidents nor did it name the perpetrators.

The Security Threat Intelligence Centre of Microsoft found the vulnerabilities, and this can be seen as a sign of the growing interest of high-end attackers in virtualization facilities, as the issue was reported in a secure manner.

VMware commented that these defects result in a highly critical attack scenario where an intruder with prior access to a guest OS and with admin or root privileges could then move on to the hypervisor, greatly increasing the breach's effect.

CISA Adds VMware Zero-Days to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included all three security holes in its Known Exploited Vulnerabilities (KEV) catalog, thereby officially identifying them as zero-day threats.

According to CISA’s orders, federal civilian agencies must update the non-compliant systems by March 25, 2025. The decision emphasizes the necessity for all the organizations, regardless of their nature - public or private - to get rid of these vulnerabilities instantly.

Why Immediate Patching Is Critical

Virtualization platforms like VMware ESXi are foundational to modern enterprise infrastructure. A successful hypervisor-level attack can:

• Compromise multiple virtual machines at once
  

• Bypass traditional endpoint security controls
  

• Enable lateral movement across environments
  

• Lead to full infrastructure takeover
  

With active exploitation already confirmed, delaying patch deployment significantly increases organizational risk.

Final Recommendations

• Immediately apply the latest VMware patches released by Broadcom
  

• Restrict administrative privileges within guest virtual machines
  

• Monitor VMX processes for suspicious activity
  

• Review access controls and hypervisor hardening guidelines
  

Staying proactive with virtualization security is no longer optional -it’s a critical requirement in today’s threat landscape.