Broadcom has released critical security updates to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These vulnerabilities could lead to code execution and information disclosure, posing significant risks to affected systems.
The identified vulnerabilities are:
- CVE-2025-22224 (CVSS score: 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability leading to an out-of-bounds write. Exploitation by a malicious actor with local administrative privileges on a virtual machine could result in code execution as the VMX process running on the host.
- CVE-2025-22225 (CVSS score: 8.2): An arbitrary write vulnerability that could be exploited by an attacker with privileges within the VMX process, potentially leading to a sandbox escape.
- CVE-2025-22226 (CVSS score: 7.1): An information disclosure vulnerability due to an out-of-bounds read in HGFS. Attackers with administrative privileges to a virtual machine could exploit this to leak memory from the VMX process.
The affected versions include:
- VMware ESXi 8.0: Fixed in ESXi80U3d-24585383 and ESXi80U2d-24585300.
- VMware ESXi 7.0: Fixed in ESXi70U3s-24585291.
- VMware Workstation 17.x: Fixed in version 17.6.3.
- VMware Fusion 13.x: Fixed in version 13.6.3.
- VMware Cloud Foundation 5.x: Async patch to ESXi80U3d-24585383.
- VMware Cloud Foundation 4.x: Async patch to ESXi70U3s-24585291.
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x: Fixed in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d.
- VMware Telco Cloud Infrastructure 3.x, 2.x: Fixed in ESXi 7.0U3s.
Broadcom has acknowledged active exploitation of these vulnerabilities in real-world scenarios. The company credited the Microsoft Threat Intelligence Center for discovering and reporting these issues.
Given the severity and active exploitation of these vulnerabilities, it is imperative for users and administrators to apply the latest patches immediately to ensure optimal protection.