VMware ESXi and Workstation Vulnerabilities Allow Host-Level Code Execution
Broadcom disclosed four critical vulnerabilities in VMware’s virtualization suite on July 15, 2025, enabling attackers to escape virtual machines and execute code directly on host systems.
The flaws, discovered through the Pwn2Own competition, affect ESXi, Workstation, Fusion, and VMware Tools across enterprise and desktop environments.
Vulnerability Overview
| CVE ID | Component | Vulnerability Type | CVSS Score | Impact |
| CVE-2025-41236 | VMXNET3 Virtual NIC | Integer Overflow | 9.3 | Host-level code execution |
| CVE-2025-41237 | VMCI | Integer Underflow | 9.3 | VMX process compromise |
| CVE-2025-41238 | PVSCSI Controller | Heap Overflow | 9.3 | Host-level code execution |
| CVE-2025-41239 | vSockets | Information Disclosure | 7.1 | Memory leak |
The most severe vulnerability, CVE-2025-41236, resides in the VMXNET3 virtual network adapter.
Attackers with administrative privileges inside a guest virtual machine can trigger an integer overflow that allows arbitrary code execution on the underlying host system.
This flaw affects VMware’s most commonly deployed virtual network adapter, making it particularly dangerous for cloud and enterprise environments.
CVE-2025-41237 targets the Virtual Machine Communication Interface (VMCI), which facilitates host-guest interactions like clipboard sharing and drag-and-drop functionality.
An integer underflow vulnerability leads to out-of-bounds memory writes, compromising the VMX process. While ESXi’s sandbox contains the exploit within the VMX process, Workstation and Fusion users face complete host compromise.
The third critical flaw, CVE-2025-41238, affects the paravirtualized SCSI controller through a heap overflow vulnerability.
Attackers can exploit this issue to achieve host-level code execution, though ESXi implementations are only vulnerable in unsupported configurations. Desktop virtualization products remain fully exposed.
CVE-2025-41239, while rated lower at 7.1, enables information disclosure through uninitialized memory reads in vSockets.
This vulnerability affects VMware Tools for Windows and can leak sensitive data including cryptographic keys and kernel pointers, potentially facilitating other attacks.
Affected Products and Impact
The vulnerabilities impact VMware Cloud Foundation, vSphere Foundation, ESXi, Workstation Pro, Fusion, VMware Tools, and various Telco Cloud platforms.
All products share the vulnerable device emulation code, creating a broad attack surface across VMware’s entire ecosystem.
Security researchers from STARLabs SG, REverse Tactics, Synacktiv, and THEORI discovered these flaws during Pwn2Own Tokyo 2025, demonstrating successful exploitation with near-100% reliability rates.
Broadcom has released patches for all affected versions but provides no workarounds.
Organizations must immediately update to fixed versions: ESXi 7.x through 8.0 U3b, Workstation Pro 17.5.1, and Fusion Pro 13.5.1. VMware Tools 12.5.3 addresses the Windows-specific vSockets vulnerability.
The company emphasizes that patching both hypervisor and Tools components is essential, as updating only the hypervisor leaves the information disclosure vulnerability active.
With proof-of-concept exploits already demonstrated publicly, security teams should prioritize emergency patching to prevent potential host compromises that could enable lateral movement across virtualized infrastructures.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link
