The Cyber Security Agency of Singapore has issued an alert for multiple VMware vulnerabilities. The alert came just after Broadcom released a critical security advisory detailing multiple vulnerabilities. 

These vulnerabilities, CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239, impact VMware ESXi, Workstation, Fusion, Tools, and related infrastructure solutions.  

Overview of the VMware Vulnerabilities

The four newly identified VMware vulnerabilities, listed by CSA, vary in type and severity but collectively pose a substantial risk. They can allow attackers with local administrative privileges on a virtual machine (VM) to execute arbitrary code on the host system or leak sensitive memory data.

1. CVE-2025-41236 – VMXNET3 Integer Overflow (CVSS 9.3)

This is an integer overflow vulnerability in the VMXNET3 virtual network adapter. A local attacker with admin privileges on a VM using this adapter could exploit the flaw to execute code directly on the host. According to Broadcom, non-VMXNET3 adapters are not affected. The vulnerability has a CVSSv3 base score of 9.3, emphasizing its potential danger.

2. CVE-2025-41237 – VMCI Integer Underflow (CVSS 9.3)

The CVE-2025-41237 vulnerability resides in the Virtual Machine Communication Interface (VMCI) and is caused by an integer underflow. Successful exploitation could lead to code execution as the VMX process on the host. While exploitation on ESXi is confined to the VMX sandbox, Workstation and Fusion users are at greater risk, as it could result in full code execution on the host machine.

3. CVE-2025-41238 – PVSCSI Heap Overflow (CVSS 9.3)

Another high-severity flaw; this heap-overflow vulnerability exists in the Paravirtualized SCSI (PVSCSI) controller. Affected configurations could allow an attacker to write out of bounds, leading to the execution of arbitrary code in the VMX process. On ESXi, the flaw is exploitable only with unsupported configurations and remains within the sandbox. However, Workstation and Fusion environments are susceptible to more severe consequences.

4. CVE-2025-41239 – vSockets Information Disclosure (CVSS 7.1)

The CVE-2025-41239 vulnerability involves the use of uninitialized memory in vSockets, potentially allowing an attacker to leak memory from communicating processes. Although not as severe as the others, it still presents a risk, especially in sensitive or multi-tenant environments.

Affected Products

The vulnerabilities impact a broad spectrum of VMware’s product lineup:

• VMware ESXi (7.0, 8.0)
• VMware Workstation (17.x)
• VMware Fusion (13.x)
• VMware Tools (versions 11.x.x, 12.x.x, and 13.x.x)
• VMware Cloud Foundation (4.5.x, 5.x)
• VMware vSphere Foundation (9.0.0.0)
• VMware Telco Cloud Platform and Infrastructure (2.x to 5.x)

Severity and Risk

The CVSSv3 base scores assigned to the vulnerabilities range from 7.1 to 9.3, classifying most as critical. There are no known workarounds, which increases the urgency for administrators to apply patches immediately.

“These are local privilege escalation vulnerabilities, but they pose a real threat in environments where users have shell access or where guest VMs might be compromised,” noted a Broadcom security engineer.

Recommended Actions

Broadcom strongly recommends all users and administrators update to the latest patched versions to mitigate these vulnerabilities in VMware. Fixed versions for each product are listed in the official response matrix and are available on Broadcom’s advisory page. For instance:

• VMware Workstation 17.6.4
• VMware Fusion 13.6.4
• ESXi80U3f-24784735 (for ESXi 8.0)
• ESXi70U3w-24784741 (for ESXi 7.0)

Additionally, VMware Tools for Windows 32-bit and 64-bit have been patched in versions 13.0.1.0 and 12.5.3, respectively.

Conclusion

These new VMware vulnerabilities, especially CVE-2025-41236 and CVE-2025-41237, highlight the critical importance of regular patching and vulnerability management. While no public exploits have yet been confirmed, the presence of proof-of-concept research and the involvement of top-tier researchers stress the need for better vulnerability management. 

Given the use of VMware products in cloud, enterprise, and telco infrastructure, delaying remediation could leave systems dangerously exposed. All organizations using impacted versions should prioritize patching immediately.

References:

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
• https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-073
• https://nvd.nist.gov/vuln/detail/CVE-2025-41237
• https://nvd.nist.gov/vuln/detail/CVE-2025-41239
• https://nvd.nist.gov/vuln/detail/CVE-2025-41236
• https://nvd.nist.gov/vuln/detail/CVE-2025-41237