www.belgium.be Logo of the federal government

WARNING: THREE ACTIVELY EXPLOITED VULNERABILITIES IN VMWARE SOLUTIONS, PATCH IMMEDIATELY!

Reference: 
Advisory #2025-49
Version: 
1.0
Affected software: 
VMware ESXi versions 8.0 and 7.0,
VMware Workstation versions 17.x before 17.6.3
VMware Fusion versions 13.x before 13
VMware Cloud Foundation versions 5.x and 4.5.x
VMware Telco Cloud Platform versions 5.x, 4.x, 3.x and 2.x
VMware Telco Cloud Infrastructure versions 3.x and 2.x
Type: 
Heap-overflow, arbitrary write and information disclosure vulnerabilities.
CVE/CVSS: 

CVE-2025-22224: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2025-22225: CVSS 8.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2025-22226: CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Date: 
05/03/2025

Sources

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Risks

Threat actors actively exploit the zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 in a chained attack. After gaining administrator privileges within a virtual machine guest OS, the threat actor can escape the sandbox environment and compromise the hypervisor. Successful exploitation results in broader security risks, including the takeover of all virtual machines hosted on the hypervisor, unauthorized access to hypervisor resources, or exfiltration of sensitive data.

Description

CVE-2025-22224: CVSS 9.3

A critical Time-of-Check Time-of-Use vulnerability leads to an out-of-bounds write, allowing an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.

CVE-2025-22225: CVSS 8.2

A high arbitrary write vulnerability allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write, leading to escape the sandboxed environment.

CVE-2025-22226: CVSS 7.1

A high out-of-bounds read vulnerability in HGFS leads to information disclosure, allowing an attacker with administrative privileges on a virtual machine to leak memory from the VMX process.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect

The CCB recommends that organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004