Broadcom is giving its VMware customers some all-too-familiar advice once again: Install updates to patch vulnerabilities in VMware offerings, this time for three actively exploited zero-day flaws found in its ESXi, Workstation and Fusion products.
The flaws, reported to Broadcom by researchers at Microsoft Threat Intelligence Center, are tracked as CVE-2025-22225, a high-severity arbitrary write vulnerability in VMware ESXi; CVE-2025-22224, a critical-severity Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in VMware ESXi and Workstation; and CVE-2025-22226, a high-severity information disclosure vulnerability in VMware ESXi, Workstation and Fusion.
On the upside for VMware customers, the flaws require that attackers already have administrative access to the system for exploitation to succeed. On the downside, cyber threat actors already have found a way to achieve such exploitation, which prompted the U.S. Cybersecurity and Infrastructure Agency (CISA) to add the flaws to its known exploited vulnerabilities database. Attackers also can exploit the flaws individually or chain them together for a more powerful attack.
Of the three flaws, the critical CVE-2025-22224 is the most worrying one for enterprises, as it potentially gives attackers control over all the other VMs running on the same server, said Patrick Tiquet, vice president of security and architecture at security firm Keeper Security.
“The danger here is that once attackers gain access at this level, they can spread across the entire system, steal data and install backdoors to maintain access,” he said in an email with Cybersecurity Dive.
Further, what’s most dangerous about the chained vulnerabilities is their ability to allow attackers to break out of guest OS sandboxes and seize hypervisor control, “extending their reach to all hosted virtual machines and the underlying infrastructure,” said Jason Soroko, senior fellow at certificate life cycle management firm Sectigo.
“In a worst-case scenario, this breach permits reconfiguration of the hypervisor, lateral movement across systems, exfiltration of sensitive data, disruption of services and the deployment of additional malware, effectively compromising the entire virtualized ecosystem,” he said in an emailed statement.
History of VMware vulnerabilities
Security vulnerabilities have represented a persistent issue for VMware virtualization products, which are ubiquitously used across cloud-based enterprise environments and therefore can present a broad attack surface for threat actors. The frequency of flaws in its products have led to criticism of the vendor’s security strategy, especially given its widespread use in enterprise cloud deployments.
“Recent cyberattacks targeting VMware products pose a significant and ongoing threat,” said Chris Gray, field CTO at security firm Deepwatch, via emailed comments to Cybersecurity Dive. Even when patches have been released, “incomplete application of these remediations leaves systems vulnerable to compromise,” he added.
This type of approach to securing VMware products is unacceptable, especially given the company’s dominant position in the virtualization market, Gray said. The company holds approximately 42.7% market share — nearly 300% that of its nearest competitor, with over half of that share in the U.S.
“Once attackers exploit initial vulnerabilities, they can uncover further weaknesses, creating a cascade effect,” he said. “Incomplete vulnerability management and the presence of orphaned virtual machines and cloud instances exacerbate these risks, making virtualization platforms an attractive target for attackers.”
Various security companies, including Rapid7 and Fortinet’s FortiGuard Labs, joined Broadcom in urging customers to patch affected systems immediately to alleviate risk. Customers can find patch information in Broadcom’s security advisory.
Cybersecurity Dive had not received comment from Broadcom at this posting.