Full Report
Broadcom warned customers today about three VMware zero-days, tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center. [...]
Analysis Summary
# Vulnerability: Three Actively Exploited VMware Zero-Days Leading to Host Compromise
## CVE Details
- CVE ID: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 (Note: Specific CVSS Scores were not provided in the text, these are inferred as critical based on context).
- CVSS Score: Not specified (Inferred High/Critical due to active exploitation and host access).
- CWE: VCMI Heap Overflow (CVE-2025-22224), Arbitrary Write (CVE-2025-22225).
## Affected Systems
- Products: VMware (Implied ESXi/vCenter products running VMX process).
- Versions: Specific vulnerable versions were not detailed in the summary text, but these affect products with the vulnerable VMX component.
- Configurations: Requires administrative or root privileges *inside* the targeted Guest Virtual Machine (VM) for exploitation.
## Vulnerability Description
Broadcom patched three zero-day vulnerabilities actively being exploited in the wild. All three require the attacker to already have privileged access (administrator or root) within a compromised guest Virtual Machine (VM).
1. **CVE-2025-22224 (VCMI Heap Overflow):** Allows local attackers with VM admin rights to execute arbitrary code *as the VMX process running on the host hypervisor*.
2. **CVE-2025-22225 (ESXi Arbitrary Write):** Allows the VMX process to trigger arbitrary kernel writes, resulting in a **sandbox escape** to the host.
3. **CVE-2025-22226 (HGFS Information Disclosure):** Allows threat actors with admin permissions within the VM to leak memory content from the VMX process.
## Exploitation
- Status: **Exploited in the wild** (Attacker suggests exploitation has occurred).
- Complexity: **Medium/High** (Requires initial foothold and privileged access within the VM guest OS before triggering the host escape).
- Attack Vector: **Local** (Requires access to the VM console/guest OS or administrative privileges within that guest).
## Impact
- Confidentiality: High (Memory/Data leakage possible via CVE-2025-22226, and full host access via the others).
- Integrity: Critical (Arbitrary kernel writes via CVE-2025-22225 and Remote Code Execution on the hypervisor via CVE-2025-22224).
- Availability: High (Full host compromise can lead to service denial).
## Remediation
### Patches
- Broadcom has released patches addressing CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. (Specific patch versions are not included in this summary text; users must consult the official Broadcom advisories).
### Workarounds
- No specific workarounds were detailed in the provided text. Immediate patching is highly recommended due to active exploitation.
## Detection
- Indicators of Compromise: Successful hypervisor compromise or unexpected process activity originating from the VMX process following privileged execution in a guest.
- Detection methods and tools: Monitoring for unusual kernel interaction or memory access anomalies related to the VMX process, especially following suspicious activity within guest VMs.
## References
- Vendor advisory: support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
- Technical details: github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
- Prior related CVEs mentioned for context (Not the focus of this summary): CVE-2024-38813, CVE-2024-38812, CVE-2023-34048