The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert on March 4, 2025, adding three critical VMware vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild exploitation.
The vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 allow attackers with privileged access to virtual machines (VMs) to escalate privileges, execute code on hypervisors, and exfiltrate sensitive memory data.
These flaws, discovered by Microsoft Threat Intelligence Center (MSTIC), affect VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform products.
CISA’s advisory coincides with Broadcom’s release of patches, emphasizing the need for federal agencies and private organizations to prioritize remediation under the Binding Operational Directive (BOD).
VMware Vulnerabilities Exploited
Critical TOCTOU Flaw Enables Hypervisor Takeover (CVE-2025-22224)
CVE-2025-22224, the most severe of the trio with a CVSS score of 9.3, is a Time-of-Check Time-of-Use (TOCTOU) race condition in VMware ESXi and Workstation.
Attackers with administrative privileges on a VM can exploit this heap overflow vulnerability to execute arbitrary code within the VMX process—the hypervisor component managing VM operations.
Successful exploitation grants control over the host system, enabling lateral movement across virtualized infrastructures.
Sandbox Escape via Arbitrary Write (CVE-2025-22225)
CVE-2025-22225 (CVSS 8.2) permits authenticated attackers to write arbitrary data to ESXi hosts through the VMX process, facilitating sandbox escapes. By manipulating kernel memory, adversaries gain elevated privileges to deploy malware or disrupt services.
This flaw is particularly dangerous in multi-tenant cloud environments, where a single compromised VM could jeopardize entire clusters.
Hypervisor Memory Leakage (CVE-2025-22226)
The third vulnerability, CVE-2025-22226 (CVSS 7.1), stems from an out-of-bounds read in VMware’s Host Guest File System (HGFS).
Attackers leveraging this flaw can extract sensitive data from the VMX process, including encryption keys or credentials stored in hypervisor memory. While less severe than the others, it provides critical reconnaissance data for orchestrating further attacks.
Broadcom released fixes for all affected products, including:
- ESXi 8.0/7.0: Patches ESXi80U3d-24585383 and ESXi70U3s-24585291
- Workstation 17.x: Version 17.6.3 addresses CVE-2025-22224/22226
- Fusion 13.x: Update 13.6.3 resolves CVE-2025-22226
Organizations using VMware Cloud Foundation or Telco Cloud Platform must apply asynchronous patches or upgrade to fixed ESXi versions.
- Immediate Patching: Prioritize updates for ESXi, Workstation, and Fusion.
- Monitor VM Activity: Detect unusual privilege escalation or memory access patterns.
- Leverage BOD 22-01 Frameworks: Align remediation workflows with CISA’s KEV timelines.
With exploitation already observed, delayed patching risks large-scale breaches akin to the 2024 vCenter Server incidents. As virtualization underpins critical infrastructure, proactive defense is paramount to thwarting nation-state adversaries seeking persistent access.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free