Broadcom Patches Three Actively Exploited VMware Zero-Day Vulnerabilities

In March 2025, Broadcom released critical patches addressing three zero-day vulnerabilities in VMware’s ESXi, Workstation, and Fusion platforms.

These flaws were reportedly exploited in the wild and pose serious security risks to virtualized infrastructure across enterprises and cloud environments.

 🧠 Overview of the Vulnerabilities

The three identified vulnerabilities are as follows:

• CVE-2025-22224 (CVSS 9.3 – Critical): A Time-of-Check Time-of-Use (TOCTOU) flaw in VMware ESXi and Workstation that allows local administrative users on a guest virtual machine to execute code on the host system by leveraging the VMX process (Broadcom, 2025a).
• CVE-2025-22225 (CVSS 8.2 – High): An arbitrary write vulnerability in VMware ESXi. A malicious actor with VMX process access can write to the kernel, potentially leading to a sandbox escape (Broadcom, 2025a).
• CVE-2025-22226 (CVSS 7.1 – High): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion. Attackers can read out-of-bounds memory from the VMX process via the Host Guest File System (HGFS), exposing potentially sensitive data (Broadcom, 2025a).

These vulnerabilities require prior administrative access on a virtual machine, making them especially dangerous when used in conjunction with other initial access methods, such as spear-phishing or credential theft (SecurityWeek, 2025).

🔥 Active Exploitation and Impact

Broadcom and Microsoft confirmed that the zero-day vulnerabilities were being actively exploited in targeted attacks.

The exploitation chain allows attackers to escape virtual machines and potentially compromise the host, which could lead to:

• Unauthorised access to host resources
• Deployment of ransomware or malware
• Lateral movement within enterprise environments
• Data exfiltration

Security experts have also warned that attackers might chain the flaws together to execute complex attack scenarios involving privilege escalation and full host takeover (Cybersecurity News, 2025).

🔑 Affected VMware Products

The following VMware products are impacted:

• VMware ESXi (6.7, 7.0, and 8.0)
• VMware Workstation (17.x)
• VMware Fusion (13.x)
• VMware Cloud Foundation
• VMware Telco Cloud Platform

🔍 Patch Availability and Recommendations

Broadcom has released the following updates to mitigate the issues:

• ESXi 8.0: Update to ESXi80U3d-24585383 or ESXi80U2d-24585300
• ESXi 7.0: Update to ESXi70U3s-24585291
• ESXi 6.7: Update to ESXi670-202503001
• Workstation: Update to 17.6.3
• Fusion: Update to 13.6.3

There are no workarounds for these issues; administrators must apply the security patches immediately (Broadcom, 2025a).

🛡️ Urgent Recommendations
Given the active exploitation of these vulnerabilities, organizations using affected VMware products should:

1. Apply Patches Immediately: Update all affected systems to the latest patched versions provided by Broadcom. Source: Bleeping Computer
2. Review Access Controls: Ensure that administrative access to virtual machines is tightly controlled and monitored. Source: Cybersecurity Dive
3. Monitor Systems: Implement monitoring for unusual activity that may indicate exploitation attempts or unauthorized access.
4. Consult Official Advisories: Refer to Broadcom’s official security advisory (VMSA-2025-0004) for detailed information and guidance. Source: digital.nhs.uk

Prompt action is essential to protect virtualized environments from potential compromise due to these critical vulnerabilities.

🧠 Final Thoughts

The exploitation of three zero-day vulnerabilities in VMware’s core virtualization platforms is a stark reminder: virtualization is not a security boundary. When attackers can pivot from guest to host, the consequences ripple across your entire infrastructure—on-premises and in the cloud.

These aren’t theoretical risks. They’re active threats, being weaponized in the wild by advanced adversaries. The danger lies not only in the technical severity of the flaws, but in the ease with which attackers can chain them with phishing or credential theft for full system compromise.

Patching is no longer optional—it’s a frontline defense. But patching alone isn’t enough. Hardening access, continuously monitoring for anomalies, and applying least-privilege principles across virtual environments are now essential to surviving modern threat campaigns.

🔐 Don’t let your virtual infrastructure become your weakest link. Let Exabytes help you stay ahead of evolving threats with real-time monitoring, proactive patch management, and hardened virtualization defenses.

👉 Visit Exabytes eSecure to get started.

📚 References

• Broadcom. (2025a). VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities. Broadcom Security Advisory
• Cybersecurity News. (2025, March). VMware ESXi vulnerabilities exploited in the wild to Execute Malicious Code
• IBM. (2025). Securing your VMware infrastructure.
• SecurityWeek. (2025, March). Broadcom patches 3 VMware zero-days exploited in the wild.
• Infosecurity Magazine. (2025, March). VMware Warns Customers to Patch Actively Exploited Zero-Day Vulnerabilities.