Attacks on VMware ESXi
By Christian Mary Lagua on March 14, 2025
Executive Summary
On March 4, 2025, three critical VMware ESXi vulnerabilities were exploited in VMware products. This includes CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, all involved active exploitation attacks. Released fixed versions are available for all affected products.
Background
VMware is a manufacturer of virtualization services and products used for running virtual machines (VM). Three vulnerabilities were found that affect its VMware ESXi, Workstation, and Fusion products [2]. All originate from a flaw in the Virtual Machine eXecutable (VMX) process in the VM’s host and remain actively exploited [3]. CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a severity score of 9.3 (critical). CVE-2025-22225 is an arbitrary write vulnerability with a severity score of 8.2 (high). CVE-2025-22226 is an Host Guest File System (HGFS) information-disclosure vulnerability with a severity score of 7.1 (high) [5]. Immediate patches are available for all impacted products.
Exploitation
The exploitation of VMware ESXi threatens the security segregation between the controlled VM environment and the host system [4]. CVE-2025-22224 enables the execution of malicious code in the VM’s out-of-bounds memory, resulting in a heap overflow. CVE-2025-22225 escalates privileges to write in the kernel memory, leading to a sandbox escape. CVE-2025-22226 discloses sensitive data from the VMX process due to an out-of-bounds read in the HGFS. All three vulnerabilities give attackers with VM admin privileges the ability to gain unauthorized access in the VMX process running on the host. This increases the risk of VMs compromising the host.
Significance and Impact
The combination of all three vulnerabilities combined can lead to a VM escape, in which a compromised VM can attack the hypervisor itself [1]. This affects multiple VMware products, leaving thousands of organizations at risk. Successful exploitation grants attackers unauthorized access to sensitive data, deploy ransomware, and disrupt businesses operations. As of March 4, 2025, the Shadowserver Foundation reported almost 41,500 devices still vulnerable to CVE-2025-2224 [7]. Despite available patches, this raises concerns about large-scale exploitation.
Mitigation
For remediation, it is crucial to update the affected VMware hypervisors to their patched versions, as there are no workarounds [6]. VMware EXSi 8.0 should be updated to the latest 3d or 2d version, and for VMware EXSi 7.0 to the latest 3s version. Additionally, VMware Workstation should be updated to the latest 17.6.3 version and VMware Fusion to the latest 13.6.3 version. Other patched versions are listed in the VMware Security Advisory (VMSA). Applying these updates ensures that all affected hypervisors remain secure against exploitation of these vulnerabilities.
Conclusion
VMware has released patched versions to address VMware EXSi vulnerabilities. However, unpatched systems remain at risk, potentially leading to wider security compromises. Updating to the latest security versions secures VM environments from exploitation.
References
[1] Beaumont, K. (2025, March). “Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape.” Medium. https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc
[2] Broadcom. (2025, March 04). “VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226).” Broadcom Support Portal. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390
[3] Broadcom. (2024, December 16). “VMX Specification.” Broadcom TechDocs. https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere-sdks-tools/8-0/virtual-disk-development-kit-programming-guide/virtual-disk-api-functions/start-up/vmx-specification.html
[4] Constantin, L. (2025, March 04). “VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.” CSO. https://www.csoonline.com/article/3837874/vmware-esxi-gets-critical-patches-for-in-the-wild-virtual-machine-escape-attack.html
[5] Fewer, Stephen. (2025, March 4). “Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products.” Rapid7. https://www.rapid7.com/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/
[6] GitHub. (2025, March). “VMSA-2025-0004: Questions & Answers.” GitHub. https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
[7] Shadowserver Foundation. (2025, March 5). Post. X. https://x.com/Shadowserver/status/1897375815605870833
-
CrushFTP CVE-2025-31161 Vulnerability
CrushFTP CVE-2025-31161 Vulnerability
4/11/2025 -
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability
4/4/2025 -
Next.js Middleware CVE-2025-29927 Vulnerability
Next.js Middleware CVE-2025-29927 Vulnerability
4/4/2025