CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
Broadcom披露VMware多款产品存在三个零日漏洞(CVE-2025-22224/22225/22226),涉及堆溢出、任意写入和信息泄露风险。微软威胁情报中心发现这些漏洞被野外利用。VMware已发布补丁修复问题,建议用户尽快更新以防范潜在攻击。 2025-3-4 20:15:40 Author: www.tenable.com(查看原文) 阅读量:34 收藏

Tenable Research advisory banner about zero-day vulnerabilities being exploited. The image has a blue background with the Tenable logo and the words ‘ADVISORY’ in a yellow box, followed by ‘ZERO-DAY VULNERABILITIES EXPLOITED’ in bold white text. This blog details three zero-day vulnerabilities in VMware products that were exploited in the wild.

Broadcom published an advisory for three flaws in several VMware products that were exploited in the wild as zero-days. Organizations are advised to apply the available patches.

Background

On March 4, Broadcom published an advisory (VMSA-2025-0004) for three zero-day vulnerabilities across multiple VMware products:

CVEDescriptionCVSSv3
CVE-2025-22224VMware ESXi and Workstation Heap-Overflow Vulnerability9.3
CVE-2025-22225VMware ESXi Arbitrary Write Vulnerability8.2
CVE-2025-22226VMware ESXi, Workstation and Fusion Information Disclosure Vulnerability7.1

In addition to its advisory, Broadcom published a frequently asked questions (FAQ) document for these vulnerabilities: VMSA-2025-0004: Questions & Answers.

Analysis

CVE-2025-22224 is a TOCTOU (Time-of-Check Time-of-Use) vulnerability in VMWare ESXi and Workstation. A local, authenticated attacker with admin privileges could exploit this vulnerability to gain code execution on the virtual-machine executable (VMX) process.

CVE-2025-22225

is an arbitrary write vulnerability in VMware ESXi. A local, authenticated attacker with requisite privileges could exploit this vulnerability through the VMX process to escape the sandbox.

CVE-2025-22226

is an information-disclosure vulnerability in VMware ESXi, Workstation and Fusion. An authenticated, local attacker with admin privileges could exploit this vulnerability to cause the VMX process to leak contents from memory.

Exploited in the wild as zero-days

According to Broadcom, these vulnerabilities were discovered and disclosed by researchers at the Microsoft Threat Intelligence Center (MSTIC) and observed being exploited in the wild. No specific details about in-the-wild exploitation were shared.

Proof of concept

At the time this blog post was published, there were no proofs-of-concept (PoCs) available for any of these three vulnerabilities.

Solution

VMware has released fixed versions for affected VMware products:

Affected ProductsCVEsFixed Versions
VMware ESXi 8.0CVE-2025-22224,
CVE-2025-22225,
CVE-2025-22226		ESXi80U3d-24585383,
ESXi80U2d-24585300
VMware ESXi 7.0CVE-2025-22224,
CVE-2025-22225,
CVE-2025-22226		ESXi70U3s-24585291
VMware Workstation 17.xCVE-2025-22224,
CVE-2025-22226		17.6.3
VMware Fusion 13.xCVE-2025-2222613.6.3

Additionally, VMware Cloud Foundation and VMware Telco Cloud Platform and Telco Cloud Infrastructure are affected. An asynchronous patch is available for VMware Cloud Foundation, while Telco Cloud Platform customers should update to a fixed ESXi version. For more information, please refer to Broadcom’s advisory.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

Satnam Narang

Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).

  • Exposure Management
  • Vulnerability Management

Cybersecurity news you can use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.


文章来源: https://www.tenable.com/blog/cve-2025-22224-cve-2025-22225-cve-2025-22226-zero-day-vulnerabilities-in-vmware-esxi
如有侵权请联系:admin#unsafe.sh