Broadcom patched VMware zero-days CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226 after Microsoft warned it of exploitation.
March 4, 2025 By Eduard Kovacs
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226, affect VMware ESXi, Workstation, and Fusion. Patches have been released for each impacted product, but workarounds are not available.
CVE-2025-22224 has been described as a critical VMCI heap overflow vulnerability affecting VMware ESXi and Workstation that allows an attacker with local admin privileges on a virtual machine (VM) to “execute code as the virtual machine’s VMX process running on the host”.
CVE-2025-22225, which affects VMware ESXi, is a high-severity arbitrary file write issue that allows an attacker with privileges within the VMX process to “trigger an arbitrary kernel write leading to an escape of the sandbox”.
CVE-2025-22226 affects VMware ESXi, Workstation and Fusion. It’s a high-severity information disclosure flaw caused by an out-of-bounds read bug in the HGFS component, which allows an attacker who has administrative privileges to a VM to leak memory from the VMX process.