On March 4, 2025, Broadcom released patches for three zero-day vulnerabilities exploited in the wild, affecting ESXi, Workstation, and Fusion. These vulnerabilities, discovered by Microsoft, range in severity from high to critical.
| Vulnerability | CVSS | Description |
| CVE-2025-22224 | 9.3 | A critical TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMware ESXi and Workstation that allows a threat actor with local administrative privileges on a virtual machine to achieve code execution as the VMX process on the host. |
| CVE-2025-22225 | 8.2 | A high-severity arbitrary write vulnerability in VMware ESXi that allows a threat actor with VMX process privileges to perform arbitrary kernel writes, potentially leading to a sandbox escape. |
| CVE-2025-22226 | 7.1 | A high-severity information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that allows a threat actor with administrative privileges on a virtual machine to leak memory from the VMX process via an out-of-bounds read in the Host Guest File System (HGFS). |
Details of the exploitation have not been revealed at this time, and Arctic Wolf has not identified a public Proof-of-Concept (PoC) exploit. While these vulnerabilities require specific privileges for exploitation, threat actors have historically targeted ESXi, Workstation, and Fusion, with several vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest patched version of their respective VMware product.
| Product | Vulnerability | Affected Version | Fixed Version |
| VMware ESXi |
|
|
|
| VMware Workstation |
|
|
|
| VMware Fusion |
|
|
|
| VMware Cloud Foundation |
|
|
|
| VMware Telco Cloud Platform |
|
|
|
| VMware Telco Cloud Infrastructure |
|
|
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
