Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, affect VMware ESXi, Workstation, and Fusion. Patches have been released for each impacted product, but workarounds are not available.
CVE-2025-22224 has been described as a critical VMCI heap overflow vulnerability affecting VMware ESXi and Workstation that allows an attacker with local admin privileges on a virtual machine (VM) to “execute code as the virtual machine’s VMX process running on the host”.
CVE-2025-22225, which affects VMware ESXi, is a high-severity arbitrary file write issue that allows an attacker with privileges within the VMX process to “trigger an arbitrary kernel write leading to an escape of the sandbox”.
CVE-2025-22226 affects VMware ESXi, Workstation and Fusion. It’s a high-severity information disclosure flaw caused by an out-of-bounds read bug in the HGFS component, which allows an attacker who has administrative privileges to a VM to leak memory from the VMX process.
At the time of writing there does not appear to be any public information describing attacks involving these zero-days.
Broadcom, which acquired VMware in 2023, pointed out that exploitation of the vulnerabilities requires elevated privileges, which indicates that they have likely been exploited in more targeted attacks after threat actors gained initial access to the victim’s systems.
This theory is reinforced by the fact that — in a supplemental FAQ document — Broadcom clarified that the zero-days can lead to a VM escape.
“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself,” the vendor explained.
Broadcom has credited Microsoft Threat Intelligence Center for reporting these vulnerabilities. SecurityWeek has reached out to Microsoft for additional information on the attacks and will update this article if the company responds.
It’s not uncommon for threat actors to exploit VMware product vulnerabilities in their attacks. The Known Exploited Vulnerabilities (KEV) catalog maintained by the cybersecurity agency CISA currently includes 26 VMware flaws and the new zero-days have yet to be added. The KEV list is known to be incomplete so the actual number could be even higher.
Related: VMware Patches High-Risk Flaws in Oft-Targeted Aria Operations Products
Related: VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw
Related: VMware Struggles to Fix Flaw Exploited at Chinese Hacking Contest