VMware ESXi and Workstation Vulnerabilities Let Attackers Execute Malicious Code on Host
Multiple severe vulnerabilities have been addressed affecting VMware ESXi, Workstation, Fusion, and Tools that could allow attackers to execute malicious code on host systems.
The vulnerabilities, identified as CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239, carry CVSS scores ranging from 6.2 to 9.3, with three classified as critical severity.
Security researchers discovered these flaws through the Pwn2Own competition, highlighting the serious nature of the threats facing virtualization infrastructure.
Key Takeaways
1. VMware patched CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239 targeting VMXNET3, VMCI, PVSCSI, and vSockets components.
2. Three vulnerabilities allow attackers with VM admin access to execute code on host systems, enabling complete virtual machine breakout on Workstation and Fusion.
3. It affects VMware ESXi 7.0/8.0, Workstation Pro 17.x, Fusion 13.x, VMware Tools, and enterprise Cloud Foundation/Telco Cloud platforms.
4. Deploy immediate updates, including ESXi patches, Workstation Pro 17.6.4, Fusion 13.6.4, and VMware Tools 13.0.1.0 to prevent infrastructure compromise.
VMXNET3 Integer Overflow Flaw
The most severe vulnerability, CVE-2025-41236, affects the VMXNET3 virtual network adapter with a maximum CVSS score of 9.3.
This integer-overflow vulnerability allows malicious actors with local administrative privileges on a virtual machine to execute arbitrary code on the host system.
The flaw specifically targets the VMXNET3 virtual network adapter, while other virtual adapters remain unaffected.
Security researcher Nguyen Hoang Thach of STARLabs SG, working with the Pwn2Own Zero Day Initiative, discovered this critical weakness.
The vulnerability impacts VMware ESXi versions 7.0 and 8.0, as well as Workstation Pro 17.x and Fusion 13.x, requiring immediate patching across enterprise environments.
VMCI Integer Underflow Flaw
CVE-2025-41237 carries a CVSS v3 base score of 9.3 (Critical) and affects the Virtual Machine Communication Interface (VMCI) component.
This vulnerability stems from an integer-underflow condition that leads to out-of-bounds write operations, enabling attackers to execute malicious code within the virtual machine’s VMX process on the host system.
The technical impact varies significantly between deployment environments. On ESXi systems, exploitation remains contained within the VMX sandbox, limiting the scope of potential damage.
However, on VMware Workstation and Fusion desktop platforms, successful exploitation can lead to complete host system compromise, allowing attackers to break out of the virtual machine environment entirely.
PVSCSI Heap Overflow Flaw
CVE-2025-41238 represents another critical vulnerability with a maximum CVSS v3 base score of 9.3, targeting the Paravirtualized SCSI (PVSCSI) controller.
This heap-overflow vulnerability creates out-of-bounds write conditions that enable code execution within the VMX process context.
The vulnerability’s exploitability depends heavily on the deployment configuration. On ESXi systems, the flaw is only exploitable with unsupported configurations, significantly limiting its practical impact in production environments.
However, VMware Workstation and Fusion users face a greater risk, as successful exploitation can lead to code execution on the host machine where the virtualization software is installed.
vSockets Information Disclosure Flaw
CVE-2025-41239 differs from the other vulnerabilities in severity and impact, carrying a CVSS v3 base score of 7.1 (Important) for ESXi, Workstation, and Fusion, and 6.2 (Moderate) for VMware Tools.
This vulnerability affects the vSockets communication mechanism and results from the usage of uninitialized memory, leading to information disclosure rather than code execution.
The vulnerability enables attackers with local administrative privileges to leak sensitive memory contents from processes communicating through vSockets.
The vulnerability specifically affects VMware Tools for Windows across versions 11.x, 12.x, and 13.x, while Linux and macOS implementations remain unaffected.
| CVE ID | Title | Affected Products | CVSS 3.1 Score | Severity |
| CVE-2025-41236 | VMXNET3 integer-overflow vulnerability | VMware ESXi, Workstation, Fusion | 9.3 | Critical |
| CVE-2025-41237 | VMCI integer-underflow vulnerability | VMware ESXi, Workstation, Fusion | 9.3 (Workstation/Fusion)8.4 (ESXi) | Critical |
| CVE-2025-41238 | PVSCSI heap-overflow vulnerability | VMware ESXi, Workstation, Fusion | 9.3 (Workstation/Fusion)7.4 (ESXi) | Critical |
| CVE-2025-41239 | vSockets information-disclosure vulnerability | VMware ESXi, Workstation, Fusion, VMware Tools | 7.1 (ESXi/Workstation/Fusion)6.2 (Tools) | Important/Moderate |
Broadcom has released patches for all affected products, including ESXi updates ESXi80U3f-24784735 and ESXi70U3w-24784741, Workstation Pro 17.6.4, Fusion 13.6.4, and VMware Tools 13.0.1.0.
Organizations should prioritize the immediate deployment of these security updates to protect their virtualization infrastructure from potential compromise.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
