Analysis Summary

VMware has released urgent security patches addressing four high-severity vulnerabilities, CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, and CVE-2025-41239, impacting ESXi, Workstation, Fusion, and VMware Tools. Discovered during the Pwn2Own competition by security researchers, these flaws pose serious risks to virtualization infrastructure. Three of the vulnerabilities are rated critical with CVSS scores up to high and could enable virtual machine (VM) escape, allowing attackers with administrative access inside a VM to execute code directly on the host system.

The most severe flaw, CVE-2025-41236, is an integer overflow in the VMXNET3 virtual network adapter. It allows attackers with local admin access to run arbitrary code on the host, making it a direct threat to the underlying hypervisor. Similarly, CVE-2025-41237, an integer underflow in the VMCI (Virtual Machine Communication Interface), can result in out-of-bounds writes. While ESXi systems mitigate the impact by containing the execution within a sandbox, the same is not true for Workstation and Fusion platforms, where the flaw can lead to a full host compromise.

CVE-2025-41238 targets the PVSCSI controller and exploits a heap overflow vulnerability to enable code execution within the VMX process. Like the VMCI flaw, its impact is reduced on properly configured ESXi systems, but remains critical for users of Workstation and Fusion. The fourth vulnerability, CVE-2025-41239, is less severe but still significant. It involves information leakage through uninitialized memory in the vSockets communication mechanism. This flaw primarily affects VMware Tools on Windows and enables attackers to read sensitive memory content, although it does not allow code execution.

Broadcom, VMware's parent company, has released patches for all affected platforms, including ESXi updates (ESXi80U3f-24784735 and ESXi70U3w-24784741), Workstation Pro 17.6.4, Fusion 13.6.4, and VMware Tools 13.0.1.0. Given the critical nature of these vulnerabilities, organizations are strongly advised to apply these updates immediately. Failure to do so could result in complete host compromise, data leakage, or virtual machine breakout, particularly on desktop environments, posing a major threat to enterprise and cloud infrastructure.

Impact

• Buffer Overflow
• Information Disclosure
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-41236

• CVE-2025-41237

• CVE-2025-41238

• CVE-2025-41239

Affected Vendors

Remediation

• Refer to the VMware Security Advisory for patch, upgrade or suggested workaround information.
• Restrict administrative access to virtual machines to prevent attackers from exploiting these vulnerabilities using elevated privileges.
• Enable strict sandboxing and isolation policies in ESXi environments to contain potential exploitation within VMX processes and limit the attack surface.
• Continuously monitor VM and host behavior for signs of privilege escalation, abnormal memory access, or VM escape attempts using advanced threat detection tools.
• Audit virtual hardware configurations to disable or limit the use of vulnerable components like VMXNET3, VMCI, PVSCSI, and vSockets where not required.