Full Report
Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild. [...]
Analysis Summary
# Vulnerability: VMware ESXi VCMI Heap Overflow Leading to Host Code Execution
## CVE Details
- CVE ID: CVE-2025-22224 (Note: Other related CVEs mentioned are CVE-2025-22225 and CVE-2025-22226)
- CVSS Score: Critical (Severity associated with the described impact)
- CWE: Heap overflow (Inferred from description: "VCMI heap overflow vulnerability")
## Affected Systems
- Products: VMware ESXi
- Versions: Specific versions should be checked in Broadcom's bulletin (Reference provided for checking fixed versions).
- Configurations: Targets local attackers with administrative privileges on the VM guest.
## Vulnerability Description
CVE-2025-22224 is a critical-severity VCMI heap overflow vulnerability. Successful exploitation allows a local attacker, who already possesses administrative privileges within a virtual machine (guest OS), to escape the sandbox environment. This escape allows the attacker to execute arbitrary code on the underlying ESXi host as the VMX process.
## Exploitation
- Status: Exploited in the wild (Observed as zero-days by Microsoft Threat Intelligence Center)
- Complexity: Low (Implied by the widespread risk and active exploitation)
- Attack Vector: Local (Requires access/privileges within a guest VM)
## Impact
- Confidentiality: High (Code execution on host could lead to full compromise)
- Integrity: High (Code execution on host could lead to full compromise)
- Availability: High (Code execution on host could lead to service downtime or data destruction)
## Remediation
### Patches
- Users must consult the official Broadcom bulletin for the specific ESXi versions that contain fixes for CVE-2025-22224.
- Broadcom Security Advisory reference: [support dot broadcom dot com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390](http://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390)
### Workarounds
- Currently, there are no known workarounds for this specific vulnerability (CVE-2025-22224). Immediate patching is required.
## Detection
- Detection methods for the related exploitation activity are not specified in detail but focus on monitoring unauthorized action originating from guest OSes that attempts host access.
- CISA has mandated that federal and state organizations apply updates or cease using the product by March 25, 2025.
- IOCs related to the currently exploited zero-days should be sought via threat intelligence feeds tracking the exploitation observed by MSTIC.
## References
- Vendor Bulletin: [support dot broadcom dot com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390](http://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390)
- FAQ Page: [github dot com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004](http://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004)
- CISA Advisory: [cisa dot gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog](http://cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog)
- Threat Monitoring Data (Shadowserver): [dashboard dot shadowserver dot org/statistics/combined/time-series/?date_range=7&source=http\_vulnerable&source=http\_vulnerable6&tag=cve-2025-22224%2B&dataset=unique\_ips&style=stacked](http://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-22224%2B&dataset=unique_ips&style=stacked)