WARNING: THREE ACTIVELY EXPLOITED VULNERABILITIES IN VMWARE SOLUTIONS, PATCH IMMEDIATELY!
CVE-2025-22224: CVSS 9.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2025-22225: CVSS 8.2 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVE-2025-22226: CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Sources
Risks
Threat actors actively exploit the zero-day vulnerabilities CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 in a chained attack. After gaining administrator privileges within a virtual machine guest OS, the threat actor can escape the sandbox environment and compromise the hypervisor. Successful exploitation results in broader security risks, including the takeover of all virtual machines hosted on the hypervisor, unauthorized access to hypervisor resources, or exfiltration of sensitive data.
Description
CVE-2025-22224: CVSS 9.3
A critical Time-of-Check Time-of-Use vulnerability leads to an out-of-bounds write, allowing an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process runs on the host.
CVE-2025-22225: CVSS 8.2
A high arbitrary write vulnerability allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write, leading to escape the sandboxed environment.
CVE-2025-22226: CVSS 7.1
A high out-of-bounds read vulnerability in HGFS leads to information disclosure, allowing an attacker with administrative privileges on a virtual machine to leak memory from the VMX process.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends that organisations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004