Summary

On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected are VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform products, allowing remote code execution (RCE) and privilege escalation. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, were discovered following targeted threat actor activity. CISA has since added the bugs to its Known Exploited Vulnerabilities Catalog. Attackers can exploit these flaws to gain unauthorized access to systems, execute arbitrary code remotely, and escalate privileges, posing a significant risk to environments relying on these VMware solutions.

Two of these vulnerabilities are classified as Critical and pose significant risks to VMware users, while one, CVE-202522226, is marked as Important but still requires immediate attention due to its potential for data leakage.

Affected Systems and/or Applications

The following table captures the essential details about the affected VMware products, versions, identified vulnerabilities, severity, and the fixed versions.

Technical Details / Attack Overview

CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability

CVSSv3: 9.3 – Critical Severity

A Time-of-Check Time-of-Use (TOCTOU) race condition in VMware ESXi and Workstation allows attackers with administrative VM privileges to exploit a heap overflow vulnerability in the VMX process. This grants attackers control over the host system, enabling lateral movement across virtualized environments.

CVE-2025-22225: Sandbox Escape via Arbitrary Write

CVSSv3: 8.2 – High Severity

Authenticated attackers can write arbitrary data to ESXi hosts through the VMX process, triggering sandbox escapes. By manipulating kernel memory, attackers escalate privileges to deploy malware or disrupt services. This is particularly dangerous in multi-tenant environments.

CVE-2025-22226: Hypervisor Memory Leakage

CVSSv3: 7.1 – Moderate Severity

An out-of-bounds read in VMware’s Host Guest File System (HGFS) enables attackers to extract sensitive data such as encryption keys and credentials from the VMX process. While less severe, this flaw provides valuable reconnaissance data for future attacks.

Mitigation

Ensure that the latest patches from VMware are applied to the following products:

• VMware ESXi: Update the latest available versions forESXi 8.0/7.0
• VMware Workstation/Fusion: Update to 17.6.3 and 13.6.3 respectively
• VMware Cloud Foundation: Update to ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d (KB389385 ) VMware Telco Cloud Platform: Update to ESXi 7.0U3s (KB389385 )

What is the CFC doing ?

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Tenable IDs:

• CVE-2025-22224
• CVE-2025-22225
• CVE-2025-22226

References

• https://cybersecuritynews.com/cisa-warns-vmware-vulnerabilities/
• https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html
• https://support.broadcom.com/web/ecx/support-contentnotification/-/external/content/SecurityAdvisories/0/25390
• https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog
• KB389385

‍