Analysis Summary

Broadcom has issued a security alert warning VMware customers about three newly discovered zero-day vulnerabilities—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—impacting VMware ESXi, Workstation, and Fusion. Patches have been released, but no workarounds are available. CVE-2025-22224 is a critical VMCI heap overflow flaw that enables attackers with local admin privileges on a virtual machine (VM) to execute code as the VMX process on the host. CVE-2025-22225 is a high-severity arbitrary file write vulnerability in VMware ESXi, allowing attackers within the VMX process to trigger kernel writes and escape the sandbox. Meanwhile, CVE-2025-22226 is an out-of-bounds read issue in the HGFS component that could let attackers with administrative VM access leak memory from the VMX process.

While there is no publicly available information about real-world attacks exploiting these zero-days, Broadcom has indicated that they have been used in targeted attacks. Exploitation requires elevated privileges, meaning attackers likely compromised victim systems before leveraging these vulnerabilities for VM escape. Broadcom’s supplemental FAQ confirms that these flaws could allow an attacker with privileged VM access to move laterally into the hypervisor itself. Threat Intelligence Center, which discovered the vulnerabilities, has not yet disclosed further details about the attacks.

VMware products have historically been prime targets for attackers, and the U.S. cybersecurity agency CISA’s Known Exploited Vulnerabilities (KEV) catalog currently lists 26 VMware flaws, with these new zero-days yet to be added. The actual number of exploited vulnerabilities may be higher, as not all are publicly documented. Given the nature of these zero-days and their potential impact on virtualized environments, organizations using VMware ESXi, Workstation, and Fusion are strongly advised to apply the available patches immediately to prevent exploitation.

Impact

• Privilege Escalation
• Gain Access
• Code Execution
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-22224

• CVE-2025-22225

• CVE-2025-22226

Remediation

• Install the latest patches released by VMware to mitigate these vulnerabilities, as no workarounds are available.
• Restrict administrative access to virtual machines to prevent attackers from gaining the necessary privileges for exploitation.
• Implement logging and monitoring solutions to detect unusual activity within virtual machines and hypervisors.
• Isolate critical VMware infrastructure from internet-facing systems and untrusted networks to reduce attack exposure.
• Ensure users and applications have only the minimum necessary privileges to limit the impact of potential exploitation.
• Regularly update guest operating systems and applications to prevent attackers from gaining initial access to the VM.
• Follow VMware’s security guidelines and harden configurations to minimize the attack surface.
• Monitor security advisories from VMware, Broadcom, and CISA for any updates or new threat intelligence.