Broadcom’s security research team has identified three critical zero-day vulnerabilities in VMware’s virtualization products that are currently being actively exploited by threat actors. The Microsoft Threat Intelligence Center has confirmed these active exploitation attempts, significantly elevating the risk level for organizations utilizing affected VMware solutions.
Technical Analysis of the Zero-Day Vulnerabilities
The most severe vulnerability, tracked as CVE-2025-22224 with a CVSS score of 9.3, involves a heap overflow vulnerability in the VCMI component. This critical flaw enables attackers with virtual machine administrator privileges to execute arbitrary code within the VMX process context on the host system, potentially compromising both VMware ESXi and Workstation installations.
A second vulnerability, CVE-2025-22225 (CVSS 8.2), specifically affects VMware ESXi systems. This security flaw enables arbitrary kernel writes through the VMX process, potentially leading to virtual machine escape scenarios that could compromise the entire virtualization infrastructure.
The third identified vulnerability, CVE-2025-22226 (CVSS 7.1), impacts the HGFS component across ESXi, Workstation, and Fusion products. This flaw allows privileged attackers to trigger memory leaks from the VMX process, potentially exposing sensitive information.
Impact Assessment and Security Implications
These vulnerabilities present a significant security risk because attackers need only compromise a single virtual machine to potentially gain access to the underlying hypervisor. This access could lead to complete control over all virtual machines operating within the affected environment, representing a severe threat to organizational security.
Affected VMware Products and Security Recommendations
The following VMware products are vulnerable to these security flaws:
- VMware ESXi
- vSphere
- Workstation
- Fusion
- Cloud Foundation
- Telco Cloud Platform
Critical Security Measures
Security administrators should implement the following measures immediately:
- Apply security patches as soon as they become available
- Implement enhanced monitoring for suspicious activities
- Conduct thorough system audits for potential compromise indicators
- Review and restrict virtual machine access controls
- Perform regular security assessments of virtualization infrastructure
Given the critical nature of these vulnerabilities and their active exploitation in the wild, organizations must prioritize the implementation of security updates immediately upon release. System administrators should also enhance their security monitoring capabilities and conduct comprehensive security audits to detect any signs of compromise. The situation underscores the critical importance of maintaining robust security practices in virtualized environments and the need for prompt response to emerging threats.
