Full Report
The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog with four new vulnerabilities, adding to the growing list of cyber risks that have been actively exploited. These newly added vulnerabilities are associated with threats that malicious cyber actors frequently exploit, posing a serious risk to federal agencies and various organizations. The vulnerabilities affect widely used systems such as Linux and VMware products, highlighting the importance of quick response and patching to mitigate potential damage. The Newly Added Flaws to Known Exploited Vulnerabilities Catalog CISA's latest update to the Known Exploited Vulnerabilities Catalog includes the following vulnerabilities, which have been confirmed to be exploited in active attacks: 1. CVE-2024-50302: Linux Kernel Use of Uninitialized Resource Vulnerability Published on November 19, 2024, this vulnerability in the Linux kernel has been linked to the failure to properly initialize a report buffer. This buffer, used by multiple drivers, could be exploited to leak kernel memory. As the vulnerability is related to a core component of the Linux operating system, it could lead to serious consequences for users of affected versions. The vulnerability is addressed by zero-initializing the buffer during its allocation, which prevents the possibility of leaking kernel data. 2. CVE-2025-22225: VMware ESXi Arbitrary Write Vulnerability Released on March 4, 2025, this critical vulnerability affects VMware ESXi. It allows an attacker, with the right privileges in the VMX process, to trigger an arbitrary kernel write. This can lead to an escape from the virtual machine's sandbox environment, allowing unauthorized access to the host system. The vulnerability is rated with a CVSS score of 8.2 (High), indicating that it is a severe threat requiring immediate attention. 3. CVE-2025-22224: VMware ESXi and Workstation TOCTOU Race Condition Vulnerability Also disclosed on March 4, 2025, this vulnerability arises from a Time-of-Check to Time-of-Use (TOCTOU) race condition. This flaw enables an attacker with local administrative privileges on a virtual machine to execute arbitrary code by exploiting the race condition. The CVSS score of 9.3 (Critical) reflects the severity of this vulnerability, as it can potentially allow attackers to compromise the integrity of the virtual machine host. 4. CVE-2025-22226: VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability The last of the vulnerabilities added to the CISA Known Exploited Vulnerabilities Catalog on March 4, 2025, pertains to an information disclosure flaw in VMware ESXi, Workstation, and Fusion. This issue arises due to an out-of-bounds read in the HGFS module, which could allow a malicious actor to leak memory from the VMX process. While not as severe as the other vulnerabilities, it still poses a 7.1 (High) CVSS risk, making it a concern for users running vulnerable versions. Risks Posed by These Vulnerabilities These vulnerabilities are more than just theoretical risks; they are actively being exploited by cyber adversaries. The Known Exploited Vulnerabilities Catalog maintained by CISA is designed to help organizations quickly identify and patch vulnerabilities that are already being targeted in attacks. As these vulnerabilities are often leveraged as attack vectors, it is critical for organizations, especially those within the federal government, to prioritize their remediation. The CISA catalog serves as an essential resource for federal agencies, guiding them on which vulnerabilities need immediate attention to reduce the risk of data breaches and system compromise. Exploited vulnerabilities, such as those recently added to the catalog, often act as gateways for malicious actors to gain unauthorized access, elevate privileges, or disrupt services. Details of the Affected Products CVE-2024-50302 affects the Linux kernel, with various versions being vulnerable to exploitation. Linux users need to apply patches immediately to ensure they are not exposed to these security risks. CVE-2025-22225, CVE-2025-22224, and CVE-2025-22226 affect VMware ESXi, Workstation, and Fusion. These vulnerabilities span multiple versions of VMware products, impacting both cloud infrastructure and enterprise environments. VMware administrators are strongly encouraged to update their systems to the latest versions to mitigate potential exploitation. Conclusion Given the severity of the vulnerabilities recently added to CISA’s Known Exploited Vulnerabilities Catalog, it is crucial for organizations to quickly apply security patches and follow the guidance provided by CISA and affected vendors regarding vulnerable versions. For instance, CVE-2025-22225 affects VMware ESXi versions prior to ESXi80U3d-24585383, and CVE-2025-22224 impacts VMware Workstation 17.x before version 17.6.3. Organizations should prioritize patching, monitor the catalog for updates, and implement security best practices such as network segmentation, continuous monitoring, and endpoint protection tools to minimize risks.
Analysis Summary
# Vulnerability: Newly Added Exploited Vulnerabilities (Linux Kernel and VMware)
## CVE Details
- CVE ID: CVE-2024-50302, CVE-2025-22225, CVE-2025-22224, CVE-2025-22226
- CVSS Score: **Not explicitly provided** (Severity inferred as high due to CISA catalog inclusion)
- CWE: **Not specified**
## Affected Systems
- Products: Linux Kernel, VMware ESXi, VMware Workstation, VMware Fusion
- Versions:
- **CVE-2024-50302**: Various Linux kernel versions (specific list not detailed, but immediate patching advised).
- **CVE-2025-22225**: VMware ESXi versions prior to ESXi80U3d-24585383.
- **CVE-2025-22224**: VMware Workstation versions prior to 17.6.3.
- **CVE-2025-22226**: VMware Fusion (Specific versions not detailed in text).
- Configurations: Affects cloud infrastructure and enterprise environments running these products.
## Vulnerability Description
CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating they are actively being exploited in the wild. These flaws affect major systems including the Linux Kernel and multiple VMware products (ESXi, Workstation, Fusion). Exploitation "often act as gateways for malicious actors to gain unauthorized access, elevate privileges, or disrupt services."
## Exploitation
- Status: **Exploited in the wild** (As they are included in the CISA KEV Catalog)
- Complexity: **Implied Medium/High** (Based on the severity rating and inclusion in KEV)
- Attack Vector: Likely **Network** or **Local** depending on the specific flaw (VMware ESXi exploitation typically allows remote access).
## Impact
- Confidentiality: **High** (Potential for unauthorized access)
- Integrity: **High** (Potential for privilege escalation or data tampering)
- Availability: **High** (Potential for service disruption)
## Remediation
### Patches
Organizations are strongly encouraged to apply patches immediately. Specific required patch levels mentioned are:
- **VMware ESXi**: Update to ESXi80U3d-24585383 or later.
- **VMware Workstation**: Update to version 17.6.3 or later.
- **Linux Kernel**: Apply vendor-specific patches immediately.
### Workarounds
No specific workarounds are detailed in the provided text, but general security best practices were recommended.
## Detection
- **Indicators of Compromise (IoCs)**: Not detailed in the summary text.
- **Detection methods and tools**: Organizations should implement continuous monitoring and utilize endpoint protection tools to minimize risks.
## References
- Vendor advisories for Linux kernel, VMware ESXi, Workstation, and Fusion should be consulted for full patch details.
- Relevant link provided in context: hxxps://thecyberexpress.com/cisa-known-exploited-vulnerabilities-catalog-3/