Dive Brief:
- Broadcom on Tuesday disclosed three zero-day vulnerabilities that affect multiple VMware products, including ESXi, Workstation and Fusion. The vulnerabilities have been exploited in the wild.
- More than 37,000 VMware ESXi instances remain vulnerable to CVE-2025-22224, a critical zero-day vulnerability, according to scanning data from the Shadowserver Foundation.
- Some customers with downgraded VMware licenses have been unable to download the patches because of an issue with the Broadcom Support Portal. The company said in an FAQ that the issue is “a high priority and will be fixed shortly.”
Dive Insight:
The most severe of the three zero-day vulnerabilities is CVE-2025-22224, a critical Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrator privileges could execute code on the virtual machine executable (VMX) process running on the host, Broadcom’s advisory stated.
The trio of zero days also includes CVE-2025-22225, a high-severity arbitrary write vulnerability in VMware ESXi that can enable a privileged attacker in the VMX process to execute a sandbox escape; and CVE-2025-22226, a high-severity information disclosure vulnerability in VMware ESXi, Workstation and Fusion that could allow a privileged attacker to leak memory from the VMX process.
In a blog post Wednesday, security researcher Kevin Beaumont said the three flaws can be chained together to execute a VM escape, also known as a hypervisor escape. He emphasized that such escapes pose significant threats to organizations because threat detection systems typically lack visibility into VMware environments.
“ESXi is a ‘black box’ environment, where you don’t have EDR tools and such — it is locked down. As such, a hypervisor escape means a threat actor is outside of all security tooling and monitoring,” Beaumont wrote. “They can, for example, access Active Directory Domain Controller databases without triggering any alerts anywhere in the stack, or delete data.”
According to Shadowserver’s scanning data, 41,450 ESXi instances were vulnerable to CVE-2025-22224 on Tuesday, the day the zero-day vulnerabilities were publicly disclosed. That number fell to 37,322, on Wednesday. Most unpatched instances for CVE-2025-22224 are located in China, France and the U.S.
While patching rates may have improved, some VMware customers have been unable to update their software because of the issue with the Broadcom Support Portal. “In the meantime, it is recommended to leverage in-product downloads to obtain the patch. If this is not possible, please open a non-technical support ticket for support,” the company noted in the FAQ.
It’s unclear if the Broadcom Support Portal issue has been resolved. Cybersecurity Dive contacted Broadcom about the status of the portal, but the company did not directly respond to the query. A Broadcom spokesperson provided the following statement:
“A Broadcom security advisory and technical FAQ, published on March 4, 2025, describe three newly discovered and now-patched vulnerabilities within components of the VMware Cloud Foundation platform. These vulnerabilities, which were responsibly reported to Broadcom by the Microsoft Threat Intelligence Center, range in severity from important to critical,” the spokesperson said.
“Broadcom recommends all customers using vulnerable versions of the affected VCF platform components promptly update to the ‘fixed version’ identified in the security advisory. Exploitation of these vulnerabilities may allow a threat actor to access a hypervisor through a running virtual machine, but requires the actor to first obtain local privileges on the virtual machine. Broadcom has information suggesting that exploitation has occurred.”