Today's cybersecurity headlines are brought to you by ThreatPerspective

Broadcom Patches Critical VMware Flaws Exploited at Pwn2Own Berlin 2025

Broadcom has patched four critical VMware flaws disclosed during Pwn2Own Berlin 2025, earning researchers a total of $340,000 in rewards. The vulnerabilities, including CVE-2025-41236 and CVE-2025-41238, allowed attackers to execute code on the host and exploit administrative access. Broadcom is not aware of any attacks in the wild exploiting these vulnerabilities.

At the recently concluded Pwn2Own Berlin 2025 hacking contest, researchers earned a substantial sum of $340,000 for discovering and exploiting critical vulnerabilities in various software products. Among those affected were four vulnerabilities in VMware products, which have been patched by Broadcom to prevent potential exploitation.

One of the most significant vulnerabilities disclosed during the Pwn2Own Berlin 2025 contest was CVE-2025-41236, a CVSS score of 9.3 integer overflow flaw in the VMXNET3 adapter used by STARLabs SG. This vulnerability allowed attackers with admin access on a VM to run code on the host, thereby providing a high level of privilege escalation.

Another critical vulnerability disclosed during the Pwn2Own Berlin 2025 contest was CVE-2025-41238, also known as a heap overflow in the PVSCSI controller. This vulnerability, with a CVSS score of 9.3, allowed Synacktiv to execute code on the host by exploiting it using an ESXi exploit.

Furthermore, Broadcom patched CVE-2025-41237, a CVSS score of 9.3 integer underflow flaw in VMCI exploited by REverse Tactics. This vulnerability was chained with CVE-2025-41239 at Pwn2Own, which allowed REverse Tactics to earn $112,500 for an ESXi exploit using the bugs.

Additionally, Broadcom patched CVE-2025-41239, a CVSS score of 7.1 information disclosure flaw discovered by Corentin BAYET of REverse Tactics and Theori. This vulnerability was also chained with CVE-2025-41237 at Pwn2Own.

Broadcom confirmed that it is not aware of any attacks in the wild exploiting these vulnerabilities, stating: "Broadcom has no information to suggest that exploitation of these issues has occurred in the wild."

This highlights the importance of vulnerability disclosure and responsible disclosure practices among researchers and software companies. By identifying and reporting critical vulnerabilities before they are exploited in the wild, individuals can play a crucial role in enhancing the overall security posture of software products and reducing the risk of cyber attacks.

Furthermore, the patches released by Broadcom demonstrate the company's commitment to addressing security concerns and protecting users from potential exploitation of vulnerabilities. By providing timely patches for critical vulnerabilities, Broadcom is helping to minimize the risks associated with these exploits and ensuring that its software products remain secure and reliable.