Apps & Software

Critical Zero-Day Vulnerabilities Found in These VMware Products

By: Raymond Carver

Date:

Share:

Critical Zero-Day Vulnerabilities Found in These VMware Products

[ad_1]

Broadcom has patched three actively exploited zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion, discovered by Microsoft’s Threat Intelligence Center. The flaws, which were being leveraged in real-world attacks at the time of discovery, could allow attackers with administrator or root access to a virtual machine to breach the underlying hypervisor, potentially exposing all connected VMs and sensitive data.

How do these vulnerabilities work?

If a threat actor gains administrative access to a virtual machine’s guest OS, they can escalate privileges and break into the hypervisor. Once inside, they could manipulate or access other virtual machines running on the same hypervisor, posing a significant security risk.

The three vulnerabilities are:

  • CVE-2025-22224: A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation which can lead to an out-of-bounds write condition if an attacker already has admin privileges.
  • CVE-2025-22225: An arbitrary write vulnerability in VMware ESXi.
  • CVE-2025-22226: An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that could be used to leak memory.

To remediate the vulnerabilities, customers should apply the patches found in Broadcom’s notification. All versions of VMware ESX, VMware vSphere, VMware Cloud Foundation, or VMware Telco Cloud Platform are affected, except those with the newest update.

SEE: Google Chrome’s switch to Manifest V3 continues to break ad blockers such as uBlock Origin.

Which products are affected?

The following products are affected by all three CVEs (via Rapid7):

  • Broadcom VMware ESXi 7.0 and 8.0.
  • Broadcom VMware Cloud Foundation 4.5.x and 5.x.
  • Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x.
  • Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x.

The following product is vulnerable to CVE-2025-22224 and CVE-2025-22226 specifically:

  • Broadcom VMware Workstation 17.x.

The following product is vulnerable to CVE-2025-22226 specifically:

  • Broadcom VMware Fusion 13.x.

VMware’s Live Patch feature will not apply the patches automatically in this case.

VMware Cloud Foundation Operations, Automation, Aria Suite, and VMware NSX are not affected.

Last year, VMware ESXi servers were hit by a double-extortion ransomware variant, with the threat actors impersonating a real organization.

[ad_2]

Source link

Raymond Carver
Raymond Carver

━ more like this

Business

Sends shares Q1 2026 business update and product progress

0
Sends reported Q1 2026 updates sharing news on digital cards, app redesign, ClearBank integration, and fintech industry recognition. Sends, a fintech platform operated by Smartflow...
Reviews

We swipe our phones all day, and scientists just ranked which ones are the most tiring

0
We all know staring at your phone for hours isn’t great for mental health. But what about your fingers? Previously, researchers couldn’t measure...
Gear

Two suspects have been arrested for allegedly shooting at Sam Altman’s house

0
OpenAI CEO Sam Altman's house may have been the target of a second attack after San Francisco Police Department arrested two suspects for...
Reviews

You Can Soon Buy a $4,370 Humanoid Robot on AliExpress

0
Listing consumer electronics on the internet's large ecommerce marketplaces is a key step in “democratizing” the products, allowing them to be purchased by...
Gaming

Retro Rewind re-creates the glorious drudgery of working a ’90s video store

0
spot_img
Previous article
Thunderbolts* draws comparisons to ‘A24-feeling assassin movie’ and Toy Story 3
Next article
Rotel’s new headphone DAC/amp is a sleek desktop companion

Tech Reader is a Tech News magazine, publishing all about technology, gears, apps, mobile and reviews. Take your time and immerse yourself in this amazing experience!

━ about

━ follow us

━ subscribe

© Tech Reader - All rights reserved.