Broadcom has released urgent security patches to address three actively exploited vulnerabilities in VMware ESXi, Workstation, and Fusion products. The security advisory (VMSA-2025-0004), published on March 4, 2025, warns of critical flaws that could allow attackers to execute code on host systems and leak sensitive information.
The most severe vulnerability, CVE-2025-22224, received a CVSS score of 9.3 and involves a Time-of-Check Time-of-Use (TOCTOU) vulnerability leading to an out-of-bounds write. This flaw enables attackers with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process on the host system, effectively allowing a VM escape scenario.
The other vulnerabilities include CVE-2025-22225 (CVSS 8.2), an arbitrary write vulnerability that could lead to sandbox escape, and CVE-2025-22226 (CVSS 7.1), an information disclosure vulnerability in the Host Guest File System (HGFS) component.
In a separate FAQ document, Broadcom confirmed that it "has information to suggest that exploitation of these issues has occurred in the wild." However, it did not provide details about the nature of the attacks or threat actors involved. All three vulnerabilities were discovered and reported by the Microsoft Threat Intelligence Center.
Affected products and their patched versions include:
- VMware ESXi 8.0 (fixed in ESXi80U3d-24585383 and ESXi80U2d-24585300)
- VMware ESXi 7.0 (fixed in ESXi70U3s-24585291)
- VMware Workstation 17.x (fixed in 17.6.3)
- VMware Fusion 13.x (fixed in 13.6.3)
- VMware Cloud Foundation (both 4.x and 5.x)
- VMware Telco Cloud Platform and Infrastructure
The advisory emphasizes that there are no feasible workarounds for these vulnerabilities, making patching the only effective remediation strategy. Organizations are advised to implement patches immediately, using vMotion where available to relocate virtual machines during the "rolling reboot" process.
Broadcom has made patches available even for customers with expired support contracts, accessible through the support portal, as part of their commitment to provide critical security updates for all customers of supported versions.