Ethical Hacking News
Broadcom has warned its customers about three zero-day vulnerabilities in VMware ESX products that have been exploited in attacks. These vulnerabilities pose a significant threat to organizations that rely on these products, highlighting the importance of patching them as soon as possible.
Three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) in VMware ESX products have been exploited in attacks. The vulnerabilities allow attackers to chain their way into the hypervisor, gaining access to sensitive data and potentially taking control of the entire system. The critical-severity VCMI heap overflow vulnerability (CVE-2025-22224) enables local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host. Attacks can lead to sandbox escape, allowing attackers to inject malicious code into the kernel and potentially take control of the host system. A patch is available for these vulnerabilities, and Broadcom advises customers to apply it immediately to mitigate the impact of these exploits.
Broadcom has sounded an alarm for its customers regarding three zero-day vulnerabilities in VMware ESX products that have been exploited in attacks. These vulnerabilities, which were discovered by the Microsoft Threat Intelligence Center, pose a significant threat to organizations that rely on these products.
The three zero-days, labeled as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, affect VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Attackers with privileged administrator or root access can chain these flaws to escape the virtual machine's sandbox, compromising the security of the entire system.
The first vulnerability, CVE-2025-22224, is a critical-severity VCMI heap overflow vulnerability that enables local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host. This allows an attacker to move into the hypervisor itself, gaining access to sensitive data and potentially taking control of the entire system.
The second vulnerability, CVE-2025-22225, is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape. This flaw enables attackers to inject malicious code into the kernel, compromising the security of the virtual machine and potentially allowing them to take control of the host system.
The third vulnerability, CVE-2025-22226, is an HGFS information-disclosure flaw that lets threat actors with admin permissions leak memory from the VMX process. This allows attackers to access sensitive data stored in the VMX process, including encryption keys and other confidential information.
Broadcom has warned its customers about these vulnerabilities and advised them to take immediate action to patch their systems. The company has provided guidance on how to apply the necessary patches and mitigate the impact of these exploits.
VMware vulnerabilities are often targeted by ransomware gangs and state-sponsored hacking groups because they are commonly used in enterprise operations to store or transfer sensitive corporate data. The fact that attackers were able to exploit these zero-days in attacks suggests that they have already gained access to compromised systems, highlighting the importance of patching these vulnerabilities as soon as possible.
In recent months, Broadcom has warned its customers about several other VMware vulnerabilities that have been exploited in attacks. These include two vCenter Server vulnerabilities that were patched in September, which allowed attackers to gain privilege escalation to root and execute arbitrary code remotely. The company also revealed that Chinese state hackers had exploited a critical vCenter Server vulnerability since at least late 2021 to deploy VirtualPita and VirtualPie backdoors on vulnerable ESXi hosts.
The discovery of these three zero-days highlights the importance of staying up-to-date with the latest security patches and vulnerabilities. It also serves as a reminder of the ongoing threat landscape and the need for organizations to prioritize their security posture.
In conclusion, Broadcom's warning about the three VMware zero-days exploited in attacks is a wake-up call for organizations that rely on these products. The fact that attackers have already gained access to compromised systems highlights the importance of patching these vulnerabilities as soon as possible. We will continue to monitor this situation and provide updates as more information becomes available.
Related Information:
https://www.ethicalhackingnews.com/articles/Broadcom-Warns-of-Three-VMware-Zero-Days-Exploited-in-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://www.cvedetails.com/cve/CVE-2025-22224/
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://www.cvedetails.com/cve/CVE-2025-22225/
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://www.cvedetails.com/cve/CVE-2025-22226/
Published: Tue Mar 4 07:55:50 2025 by llama3.2 3B Q4_K_M
