Zero-Day Vulnerabilities Active in VMware ESXi & Workstations
More than 37,000 VMware ESXi instances remain vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw actively exploited in the wild. The Shadowserver Foundation initially reported 41,500 affected instances, with 4,500 patched since then. Broadcom has warned about CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, all of which have been exploited as zero-days. These security vulnerabilities enable attackers with administrator or root privileges on a virtual machine to break out of the VM sandbox and gain unauthorized access to the hypervisor. Such vulnerabilities pose a major threat, especially to enterprises relying on VMware infrastructure for cloud environments and essential workloads.
Technical Description
CVE-2025-22224
This is a TOCTOU race condition in VMware products that could allow a local attacker with administrative privileges on a virtual machine (VM) to execute arbitrary code on the host machine. This happens because the system checks for permission to perform an action, and then later executes the action without rechecking the permissions or conditions that could have changed in the meantime.
The flaw is triggered during the interaction between the VM and the hypervisor (VMX process) when certain sensitive files or resources are accessed. An attacker can manipulate these resources by exploiting the timing window between the check and the use which allow unauthorized code execution on the host, which can lead to full system compromise.
CVE-2025-22225
This is a privilege escalation vulnerability in VMware ESXi, Workstation and Fusion that allows a malicious actor to elevate their privileges from a normal user or unprivileged guest VM to administrative-level access. This occurs because of improper validation and access control checks within the affected products which allows an attacker to escalate their privileges within a guest VM.
By exploiting this flaw, an attacker could gain higher levels of access to the host system bypassing security mechanisms and running privileged operations. The attacker may also be able to install malicious software or modify the host configuration, leading to the possibility of further exploitation or complete control over the host.
CVE-2025-22226
This is a vulnerability in VMware products that allows an attacker to execute arbitrary code on the host machine by exploiting improper handling of virtual machine operations. This flaw occurs due to insufficient validation of input and output data when performing certain VM operations which allow the attacker to inject malicious code into the virtual machine’s operation flow.
This vulnerability is severe because it can be triggered by a user controlling the guest OS within a VM. This allows the execution of arbitrary code on the host system, which could lead to control of the system, installation of malware, or compromise of the virtual environment.
Impact
The vulnerabilities CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, pose severe risks to VMware environments each with the potential for significant impact. which could lead to the total compromise of the host system, installation of malware, data theft or disruption of services. Collectively these vulnerabilities undermine the security and integrity of VMware environments, threatening sensitive data, operational continuity and system availability making prompt patching and mitigation critical for affected systems.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Privilege Escalation, Execution |
| Technique Name | Exploitation for Privilege Escalation, Exploitation for Arbitrary Code Execution |
| Sub Technique Name | TOCTOU (Time-of-Check Time-of-Use) Race Condition, Escalate Privileges, Code Injection |
| Attack Type | Code Execution, Privilege Escalation |
| Targeted Applications | VMware ESXi, VMware Workstation, VMware Fusion |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 |
Recommended Actions
- Apply Patches and Security Updates
VMware has released security patches to address these vulnerabilities. Administrators should immediately apply the latest patches to VMware ESXi, VMware Workstation, and VMware Fusion.
- Restrict Access Control and User Privileges
Limit the number of users with administrative privileges on virtual machines (VMs) and restrict access to only necessary personnel. This helps minimize the potential for exploitation, especially for privilege escalation and arbitrary code execution attacks.
- Perform Security Audits and Monitoring
Implement continuous monitoring of VMware environments for signs of suspicious or unauthorized activity. Look for unusual access patterns or administrative actions that could indicate an exploit attempt.