Broadcom has rolled out critical security updates to patch three actively exploited zero-day vulnerabilities in VMware products, and if you’re running ESXi, Workstation, Fusion, Cloud Foundation, or Telco Cloud Platform. These aren’t just any bugs; they’re serious flaws that attackers are already using in the wild, making them an immediate threat to your virtual environments.
The vulnerabilities in question, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, open the door for everything from arbitrary code execution to information leaks and even sandbox escapes. If left unpatched, they could allow attackers to compromise your VMware setup, potentially leading to unauthorized access, system takeovers, and serious security breaches.
But don’t panic (yet). Broadcom has already pushed out patches to lock these loopholes, so the best thing you can do is update your systems ASAP. In this blog, we’ll break down the details of each vulnerability, show you which systems are affected, and walk you through the solutions you need to implement before hackers beat you to it.
Vulnerability Details
CVE-2025-22224: TOCTOU Race Condition Leading to Out-of-Bounds Write
- Description: VMware ESXi and Workstation contain a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability that leads to an out-of-bounds write. This flaw arises when there’s a discrepancy between the time a resource’s state is checked and the time it’s used, potentially allowing unauthorized modifications.
- Impact: A malicious actor with local administrative privileges on a virtual machine can exploit this vulnerability to execute code as the virtual machine’s VMX process running on the host. This could lead to unauthorized code execution on the host system.
- Severity: This vulnerability has been assigned a CVSS v3.1 base score of 9.3 (Critical), with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
CVE-2025-22225: Arbitrary Kernel Write Leading to Sandbox Escape
- Description: VMware ESXi contains an arbitrary write vulnerability. This issue allows a malicious actor with privileges within the VMX process to trigger arbitrary kernel writes.
- Impact: Exploitation of this vulnerability can lead to an escape of the sandbox, allowing the attacker to execute code outside the confined virtual environment, potentially compromising the host system.
- Severity: This vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High), with the vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.
CVE-2025-22226: Out-of-Bounds Read in HGFS Leading to Information Disclosure
- Description: VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in the Host Guest File System (HGFS).
- Impact: A malicious actor with administrative privileges to a virtual machine may exploit this issue to leak memory from the VMX process. This could result in the exposure of sensitive information from the host system.
- Severity: This vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.
Affected Systems
The vulnerabilities impact the following VMware products:
| Product | Affected Versions |
|---|---|
| VMware ESXi | Versions 7.0 and 8.0 |
| VMware Workstation | Version 17.x |
| VMware Fusion | Version 13.x |
| VMware Cloud Foundation | Versions 4.x and 5.x |
| VMware Telco Cloud Platform | Versions 2.x, 3.x, 4.x, and 5.x |
Solution
To mitigate these vulnerabilities, users and administrators should apply the patches provided by VMware:
| Product | Fixes |
|---|---|
| VMware ESXi 8.0 | Update to ESXi80U3d-24585383 or ESXi80U2d-24585300 |
| VMware ESXi 7.0 | Update to ESXi70U3s-24585291 |
| VMware Workstation 17.x | Update to version 17.6.3 |
| VMware Fusion 13.x | Update to version 13.6.3 |
| VMware Cloud Foundation 5.x | Apply the asynchronous patch to ESXi80U3d-24585383 |
| VMware Cloud Foundation 4.x | Apply the asynchronous patch to ESXi70U3s-24585291 |
| VMware Telco Cloud Platform | Apply the respective patches as per the ESXi versions |
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
