Full Report
Broadcom published an advisory for three flaws in several VMware products that were exploited in the wild as zero-days. Organizations are advised to apply the available patches.BackgroundOn March 4, Broadcom published an advisory (VMSA-2025-0004) for three zero-day vulnerabilities across multiple VMware products:CVEDescriptionCVSSv3CVE-2025-22224VMware ESXi and Workstation Heap-Overflow Vulnerability9.3CVE-2025-22225VMware ESXi Arbitrary Write Vulnerability8.2CVE-2025-22226VMware ESXi, Workstation and Fusion Information Disclosure Vulnerability7.1In addition to its advisory, Broadcom published a frequently asked questions (FAQ) document for these vulnerabilities: VMSA-2025-0004: Questions & Answers.AnalysisCVE-2025-22224 is a TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMWare ESXi and Workstation. A local, authenticated attacker with admin privileges could exploit this vulnerability to gain code execution on the virtual-machine executable (VMX) process.CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. A local, authenticated attacker with requisite privileges could exploit this vulnerability through the VMX process to escape the sandbox.CVE-2025-22226 is an information-disclosure vulnerability in VMware ESXi, Workstation and Fusion. An authenticated, local attacker with admin privileges could exploit this vulnerability to cause the VMX process to leak contents from memory.Exploited in the wild as zero-daysAccording to Broadcom, these vulnerabilities were discovered and disclosed by researchers at the Microsoft Threat Intelligence Center (MSTIC) and observed being exploited in the wild. No specific details about in-the-wild exploitation were shared.Proof of conceptAt the time this blog post was published, there were no proofs-of-concept (PoCs) available for any of these three vulnerabilities.SolutionVMware has released fixed versions for affected VMware products:Affected ProductsCVEsFixed VersionsVMware ESXi 8.0CVE-2025-22224,CVE-2025-22225,CVE-2025-22226ESXi80U3d-24585383,ESXi80U2d-24585300VMware ESXi 7.0CVE-2025-22224,CVE-2025-22225,CVE-2025-22226ESXi70U3s-24585291VMware Workstation 17.xCVE-2025-22224,CVE-2025-2222617.6.3VMware Fusion 13.xCVE-2025-2222613.6.3Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform and Telco Cloud Infrastructure are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. For more information, please refer to Broadcom’s advisory.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationBroadcom Advisory for VMSA-2025-0004VMSA-2025-0004: Questions & AnswersJoin Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: VMware ESXi, Workstation, and Fusion Zero-Day Vulnerabilities Exploited
## CVE Details
- **CVE ID:** CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
- **CVSS Score:** (Score not explicitly provided in the snippet, listed as part of exploited zero-days, implying high severity)
- **CWE:** (Not specified in the text)
## Affected Systems
- **Products:** VMware ESXi, VMware Workstation 17.x, VMware Fusion 13.x, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure.
- **Versions:**
- ESXi: 70U3s-24585291
- Workstation: 17.6.3
- Fusion: 13.6.3
- **Configurations:** Specific details on configurations are not provided, but the vulnerabilities affect the core products listed.
## Vulnerability Description
The provided text identifies three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) impacting multiple VMware virtualization products, including ESXi, Workstation, and Fusion. The description highlights that these flaws are being actively exploited in the wild. Technical details regarding the nature of the flaws (e.g., buffer overflow, memory corruption) are omitted from this summary excerpt.
## Exploitation
- **Status:** Exploited in the wild
- **Complexity:** (Not specified, but zero-day exploitation in the wild typically implies low to medium complexity for initial compromise)
- **Attack Vector:** (Not specified, but typically network access is required for ESXi or Workstation host exploitation)
## Impact
- **Confidentiality:** (Not specified)
- **Integrity:** (Not specified)
- **Availability:** (Not specified)
*(The impact severity is implied to be high given they are actively exploited zero-days affecting critical infrastructure like ESXi).*
## Remediation
### Patches
- **VMware ESXi/Workstation/Fusion:** Customers must refer to the corresponding Broadcom advisory (VMSA-2025-0004) for specific fixed versions.
- **VMware Cloud Foundation:** An asynchronous patch is available.
- **VMware Telco Cloud Platform/Infrastructure:** Customers should update to a fixed ESXi version.
### Workarounds
- (No specific workarounds were provided in this excerpt; immediate patching is implied as the primary action.)
## Detection
- **Indicators of Compromise:** (Not specified)
- **Detection methods and tools:** Tenable plugins are available for these vulnerabilities. Specific plugin IDs or detection signatures can be found on the individual CVE pages linked in the original advisory.
## References
- Broadcom Advisory for VMSA-2025-0004: support[dot]broadcom[dot]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
- VMSA-2025-0004: Questions & Answers: github[dot]com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
- Tenable CVE Plugin Pages (for reference):
- CVE-2025-22224
- CVE-2025-22225
- CVE-2025-22226