CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
Broadcom published an advisory for three flaws in several VMware products that were exploited in the wild as zero-days. Organizations are advised to apply the available patches.
Update March 4: The Solutions section has been updated to note that VMware ESXi 6.7 is also affected and a fixed version is available.
Background
On March 4, Broadcom published an advisory (VMSA-2025-0004) for three zero-day vulnerabilities across multiple VMware products:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-22224 | VMware ESXi and Workstation Heap-Overflow Vulnerability | 9.3 |
| CVE-2025-22225 | VMware ESXi Arbitrary Write Vulnerability | 8.2 |
| CVE-2025-22226 | VMware ESXi, Workstation and Fusion Information Disclosure Vulnerability | 7.1 |
In addition to its advisory, Broadcom published a frequently asked questions (FAQ) document for these vulnerabilities: VMSA-2025-0004: Questions & Answers.
Analysis
CVE-2025-22224 is a TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMWare ESXi and Workstation. A local, authenticated attacker with admin privileges could exploit this vulnerability to gain code execution on the virtual-machine executable (VMX) process.
CVE-2025-22225 is an arbitrary write vulnerability in VMware ESXi. A local, authenticated attacker with requisite privileges could exploit this vulnerability through the VMX process to escape the sandbox.
CVE-2025-22226 is an information-disclosure vulnerability in VMware ESXi, Workstation and Fusion. An authenticated, local attacker with admin privileges could exploit this vulnerability to cause the VMX process to leak contents from memory.
Exploited in the wild as zero-days
According to Broadcom, these vulnerabilities were discovered and disclosed by researchers at the Microsoft Threat Intelligence Center (MSTIC) and observed being exploited in the wild. No specific details about in-the-wild exploitation were shared.
Proof of concept
At the time this blog post was published, there were no proofs-of-concept (PoCs) available for any of these three vulnerabilities.
Solution
VMware has released fixed versions for affected VMware products:
| Affected Products | CVEs | Fixed Versions | |||
|---|---|---|---|---|---|
| VMware ESXi 8.0 | CVE-2025-22224, | CVE-2025-22225, | CVE-2025-22226 | ESXi80U3d-24585383, | ESXi80U2d-24585300 |
| VMware ESXi 7.0 | CVE-2025-22224, | CVE-2025-22225, | CVE-2025-22226 | ESXi70U3s-24585291 | |
| VMware ESXi 6.7 | CVE-2025-22224, | CVE-2025-22225, | CVE-2025-22226 | ESXi670-202503001 | |
| VMware Workstation 17.x | CVE-2025-22224, | CVE-2025-22226 | 17.6.3 | ||
| VMware Fusion 13.x | CVE-2025-22226 | 13.6.3 |
Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform and Telco Cloud Infrastructure are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. For more information, please refer to Broadcom’s advisory.
Thanks to Tom Sellers for identifying that VMware ESXi 6.7 is also affected and a fixed version is available.
Identifying affected systems
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
Change Log
Update March 4: The Solutions section has been updated to note that VMware ESXi 6.7 is also affected and a fixed version is available.
Join on the Tenable Community.
Learn more about , the Exposure Management Platform for the modern attack surface.
*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Satnam Narang. Read the original post at: https://www.tenable.com/blog/cve-2025-22224-cve-2025-22225-cve-2025-22226-zero-day-vulnerabilities-in-vmware-esxi
