Broadcom Patches Three VMware Zero-Days Exploited in Active Attacks
Three VMware zero-day vulnerabilities in ESXi, Workstation, and Fusion are being actively exploited, enabling attackers to escape virtual machines and compromise hypervisors.
CVE References
Affected
What happened: Broadcom released emergency patches for three zero-day vulnerabilities affecting VMware ESXi, Workstation, and Fusion that are being actively exploited in the wild. The vulnerabilities were reported by the Microsoft Threat Intelligence Center and can be chained to achieve virtual machine escape, allowing an attacker with code execution in a guest VM to compromise the underlying hypervisor.
Technical details: CVE-2025-22224 (CVSS 9.3) is a TOCTOU (Time-of-Check Time-of-Use) race condition leading to an out-of-bounds write in the VMCI heap. CVE-2025-22225 (CVSS 8.2) is an arbitrary file write vulnerability in ESXi that enables sandbox escape. CVE-2025-22226 (CVSS 7.1) is an information disclosure vulnerability in the HGFS subsystem allowing memory leakage from the VMX process. When chained, these vulnerabilities allow an attacker who has already compromised a guest operating system to escape the VM sandbox and gain code execution on the hypervisor host.
Who is affected: Organizations running VMware ESXi versions prior to 8.0 U3d and 7.0 U3s, VMware Workstation prior to 17.6.3, and VMware Fusion prior to 13.6.3. This is particularly critical for cloud service providers, hosting companies, and enterprises running multi-tenant virtualized environments.
What defenders should do: Apply VMware patches immediately, giving highest priority to ESXi hosts in production. Monitor for unusual guest-to-host activity patterns. Review VM event logs for signs of exploitation including unexpected VMCI operations. If patching is delayed, consider restricting the VM hardware profiles to reduce attack surface.
Broader implications: VM escape vulnerabilities are among the most severe in enterprise environments because they break the fundamental isolation guarantees of virtualization. The involvement of Microsoft MSTIC in the discovery suggests these zero-days may have been used by sophisticated threat actors, potentially in targeted espionage campaigns against cloud infrastructure.
Sources