Full Report
Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could lead to code execution and information disclosure. The list of vulnerabilities is as follows - CVE-2025-22224 (CVSS score: 9.3) - A Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write, which a malicious actor with
Analysis Summary
# Vulnerability: Multiple Actively Exploited VMware Flaws Leading to Code Execution (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)
## CVE Details
- CVE ID: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
- CVSS Score: 9.3 (Critical) for CVE-2025-22224, 8.2 (High) for CVE-2025-22225, 7.1 (High) for CVE-2025-22226
- CWE: Not explicitly stated, but inferred related to memory corruption and access control flaws.
## Affected Systems
- **Products:** VMware ESXi, VMware Workstation, VMware Fusion, VMware Cloud Foundation, VMware Telco Cloud Platform, VMware Telco Cloud Infrastructure.
- **Versions:**
- VMware ESXi 8.0 (Prior to fix versions)
- VMware ESXi 7.0 (Prior to fix versions)
- VMware Workstation 17.x (Prior to 17.6.3)
- VMware Fusion 13.x (Prior to 13.6.3)
- VMware Cloud Foundation 5.x (Prior to async patch corresponding to ESXi80U3d-24585383)
- VMware Cloud Foundation 4.x (Prior to async patch corresponding to ESXi70U3s-24585291)
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x
- VMware Telco Cloud Infrastructure 3.x, 2.x
- **Configurations:** Flaws require local administrative privileges within a VM for exploitation, except for CVE-2025-22225 which requires privileges within the VMX process.
## Vulnerability Description
The advisory covers three distinct flaws:
1. **CVE-2025-22224 (CVSS 9.3):** A Time-of-Check Time-of-Use (TOCTOU) vulnerability leading to an out-of-bounds write. If exploited by a local VM admin, this could allow code execution as the VMX process running on the host.
2. **CVE-2025-22225 (CVSS 8.2):** An arbitrary write vulnerability. If exploited by an actor with privileges within the VMX process, this could lead to a sandbox escape.
3. **CVE-2025-22226 (CVSS 7.1):** An information disclosure vulnerability due to an out-of-bounds read in HGFS. This could allow a VM admin to leak memory from the VMX process.
## Exploitation
- **Status:** Exploited in the wild. Broadcom has information suggesting active exploitation.
- **Complexity:** Likely Medium/High, as exploitation requires specific context (local VM privileges, or VMX process control for the sandbox escape).
- **Attack Vector:** Primarily Local (within a VM) leading to Host compromise (VM escape).
## Impact
- **Confidentiality:** High (Memory leakage possible via CVE-2025-22226; successful RCE could lead to full disclosure).
- **Integrity:** High (Arbitrary write and RCE possible via CVE-2025-22224 and CVE-2025-22225).
- **Availability:** Potential Denial of Service if exploitation results in VMX process crashes.
## Remediation
### Patches
Organizations must apply the latest security updates provided by Broadcom/VMware:
* **VMware ESXi 8.0:** Fixed in ESXi80U3d-24585383, ESXi80U2d-24585300
* **VMware ESXi 7.0:** Fixed in ESXi70U3s-24585291
* **VMware Workstation 17.x:** Fixed in version 17.6.3
* **VMware Fusion 13.x:** Fixed in version 13.6.3
* **VMware Cloud Foundation 5.x:** Apply async patch corresponding to ESXi80U3d-24585383
* **VMware Cloud Foundation 4.x:** Apply async patch corresponding to ESXi70U3s-24585291
* **VMware Telco Cloud Platform/Infrastructure:** Fixed via ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d updates.
### Workarounds
No workarounds were detailed in the summary, given the active 'in the wild' exploitation, immediate patching is strongly recommended over temporary mitigations.
## Detection
- **Indicators of Compromise:** Specific IoCs from Microsoft Threat Intelligence Center (MSTIC) disclosure are not detailed in this summary, but activity related to attempted VM escapes or VMX process interaction should be scrutinized.
- **Detection Methods and Tools:** Focus defense efforts on monitoring for abnormal activity emanating from guest operating systems attempting to interact with virtualization hardware interfaces or memory corruption primitives (like TOCTOU conditions in the VMX process).
## References
- Vendor Advisory: support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
- FAQ/Guidance: github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004