Multiple zero-days in VMware products actively exploited

Broadcom has advised that it has recently discovered three zero-day vulnerabilities in several of its VMware products that are being actively exploited. The vulnerabilities include:

• CVE-2025-22224 - A critical-severity heap overflow vulnerability that could enable a threat actor with local access and administrative privileges on the targeted virtual machine (VM) to execute code on its underlying host.
• CVE-2025-22225 - A write vulnerability that allows the virtual machine extensions (VMX) process to trigger arbitrary kernel writes, potentially leading to a sandbox escape; and
• CVE-2025-22226 - An information-disclosure flaw which could allow threat actors with administrative permissions to leak memory from the VMX process.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

What makes these vulnerabilities collectively so troublesome is that threat actors who compromise and gain administrative or root access to a VM’s guest operating system (OS) can chain them together to escape the VM’s virtual sandbox and move into the hypervisor itself. This would potentially provide the threat actor with access to all the other VMs running on the host.

Broadcom hasn’t provided any further detail on the exploitation of the zero-day vulnerabilities which affect the following VMware products:

• Mware ESXi
• vSphere
• Workstation
• Fusion
• Cloud Foundation
• Telco Cloud Platform

Source: Bleeping Computer

Analysis

The consequences of a threat actor successfully escaping a VM and gaining access to the underlying host system and hypervisor can be severe. The hypervisor is responsible for managing multiple VMs on a single physical server, ensuring isolation and resource allocation. Thus, compromising the hypervisor allows a threat actor to control not just one, but potentially all the VMs running on that host. This breach can lead to unauthorized access to sensitive data, disruption of services, and the ability to launch further attacks within the network.

Historically, attackers who have achieved VM escape have exploited these elevated privileges in various malicious ways. Ransomware groups have targeted vulnerabilities in virtualization platforms to deploy ransomware across multiple VMs simultaneously, amplifying the impact of their attacks. Nation-state actors have done the same to establish persistent backdoors within compromised networks. For example, in 2023, the ESXiArgs campaign saw ransomware operators encrypt ESXi hypervisors across thousands of servers globally, demonstrating the widespread damage that can result from such exploits. In 2024, it was revealed that Chinese state-sponsored cyber actors had been exploiting CVE-2023-34048, a critical vCenter Server vulnerability, as a zero-day for at least three years to deploy the VirtualPita and VirtualPie backdoors.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats targeting virtual environments. Field Effect MDR users are automatically notified if vulnerable virtualization software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly encourages organizations to apply the necessary patches in accordance with Broadcom’s advisory as soon as possible to mitigate the risks associated with these vulnerabilities.

Additionally, Field Effect recommends organizations that run virtualized environments consider the following proactive steps to protect themselves from VM escape threats and hypervisor compromises:

• Apply security patches promptly – Security patches should be applied as soon as possible to mitigate zero-day vulnerabilities before threat actors can exploit them.
• Implement network segmentation – Limiting network access between VMs, hypervisors, and external systems reduces the impact of an attack. Firewalls and VLANs can help isolate critical workloads.
• Restrict administrative access – Implement the principle of least privilege (PoLP) by ensuring only authorized users can manage virtualized infrastructure. Use role-based access controls (RBAC) and disable unnecessary administrative accounts.
• Enable security hardening features – Organizations should harden hypervisor settings according to VMware’s best practices. For example, VMware offers built-in security configurations such as VM escape protections, secure boot, and virtual TPMs.
• Monitor for anomalous activity – Deploy cybersecurity solutions capable of identifying irregular and suspicious activity, such as unexpected hypervisor modifications or unauthorized VM-to-host interactions.
• Implement strong authentication – Require multi-factor authentication (MFA) for access to VMware environments to prevent unauthorized access due to credential theft.
• Regularly audit and test virtual environments – Conduct penetration tests and vulnerability assessments to identify weaknesses that could lead to VM escape or hypervisor compromise.

Related Articles

• Threat actors exploiting unpatched VMware vCenter Server vulnerability
• VMware offers workaround, not patch, for critical vulnerability
• VMware urges patching of critical vulnerability as exploitation in the wild is confirmed