VMware ESXi Vulnerability Enables Hypervisor Escape from Guest VM
A critical heap overflow vulnerability in VMware ESXi allows an attacker with local admin privileges on a guest VM to escape the sandbox and execute code on the hypervisor host.
CVE References
Affected
What happened: Broadcom released critical security updates for VMware ESXi, Workstation, and Fusion to address a heap overflow vulnerability that enables virtual machine escape. An attacker with local administrator privileges within a guest virtual machine can exploit the flaw to execute arbitrary code on the host hypervisor, effectively breaking out of the virtualization sandbox. The vulnerability has a CVSS score of 9.3 and ransomware groups are known to actively target ESXi environments.
Technical details: CVE-2025-22230 is a heap-based buffer overflow in the HGFS (Host-Guest File System) component used for shared folder functionality between host and guest systems. By sending specially crafted HGFS requests from within a guest VM, an attacker can corrupt heap memory on the host, achieving code execution in the VMX process context. From there, privilege escalation to root on the ESXi host is possible. The vulnerability is exploitable even when shared folders are not explicitly configured, as the HGFS component is loaded by default.
Who is affected: Organizations running VMware ESXi hypervisors in data centers and cloud environments, VMware Workstation users on Windows and Linux, and VMware Fusion users on macOS. Enterprise environments using ESXi for server virtualization are at highest risk, as a hypervisor escape can compromise all virtual machines running on the same host.
What defenders should do: Apply Broadcom security patches immediately. If patching is delayed, disable the HGFS feature on ESXi hosts where shared folders are not required. Ensure ESXi management interfaces are not exposed to untrusted networks. Monitor for unusual process execution on ESXi hosts. Review guest VM access controls to ensure only authorized administrators have local admin privileges within guest VMs.
Broader implications: Hypervisor escape vulnerabilities represent one of the most severe classes of security flaws in virtualized environments, as they undermine the fundamental isolation guarantee of virtualization. ESXi continues to be a prime target for ransomware groups who deploy ESXi-specific encryptors to maximize impact by encrypting entire virtual machine disk files. This vulnerability adds urgency to the ongoing migration consideration many organizations face between on-premises VMware and cloud-native infrastructure.
Sources