Ethical Hacking News
Broadcom has fixed three actively exploited zero-days in VMware ESX products, including CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. These vulnerabilities allow attackers to escape the sandbox within a virtual machine, potentially gaining access to the underlying host system. The company released security patches to address these flaws, which are being exploited "in the wild." Organizations utilizing VMware ESX products must take immediate action and apply the necessary patches to prevent exploitation of these vulnerabilities.
VMware ESX products have been addressed for three actively exploited zero-days: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226.The vulnerabilities allow attackers to escape the sandbox within virtual machines and potentially gain access to the underlying host system.CVE-2025-22224 is a TOCTOU issue with a CVSS score of 9.3.CVE-2025-22225 is an arbitrary write issue with a CVSS score of 8.2.CVE-2025-22226 is an information-disclosure vulnerability with a CVSS score of 7.1.Exploitation of these vulnerabilities has occurred in the wild, representing a "VM Escape" situation.Organizations using VMware ESX products must apply patches and take steps to limit access to sensitive areas to prevent exploitation.
VMware, a leading virtualization software provider, recently addressed three actively exploited zero-days in its ESX products. These vulnerabilities were discovered and tracked under CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The impact of these flaws is widespread, affecting multiple VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
Researchers from Microsoft Threat Intelligence Center discovered the three vulnerabilities, which were subsequently addressed by Broadcom. According to the company, an attacker with privileged administrator or root access can chain these vulnerabilities to escape the sandbox within the virtual machine. This is a critical security concern as it allows attackers to move beyond the confines of the virtualized environment and potentially gain access to the underlying host system.
The first vulnerability, CVE-2025-22224, is described as a TOCTOU (Time-of-Check Time-of-Use) issue in VMware ESXi and Workstation. This vulnerability is tracked under CVSS score 9.3. It allows an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.
The second vulnerability, CVE-2025-22225, is described as an arbitrary write issue in VMware ESXi. This vulnerability has a CVSS score of 8.2 and allows attackers with privileges within the VMX process to trigger an arbitrary kernel write, leading to an escape of the sandbox.
The third vulnerability, CVE-2025-22226, is described as an information-disclosure vulnerability that impacts VMware ESXi, Workstation, and Fusion. This vulnerability has a CVSS score of 7.1 and is due to an out-of-bounds read in HGFS. An attacker with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.
Broadcom has confirmed that it has information suggesting that exploitation of these three flaws has occurred in the wild. The company released a critical VMware Security Advisory (VMSA), VMSA-2025-0004, addressing security vulnerabilities found and resolved in VMware ESX regarding a mechanism where threat actors could access the hypervisor through a running virtual machine.
The company's statement notes that these vulnerabilities are being exploited "in the wild" and that they represent a situation known as a "VM Escape." This is a critical situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself. The company has not disclosed specific details about the attacks or the threat actors behind them.
The discovery of these vulnerabilities highlights the ongoing cat-and-mouse game between cybersecurity professionals and malicious actors. As software providers continue to develop new and innovative products, so too do attackers seek to exploit vulnerabilities for their own nefarious purposes. The swift response by Broadcom in addressing these actively exploited zero-days is a testament to the company's commitment to maintaining the security of its products.
In light of this recent development, it is essential for organizations utilizing VMware ESX products to take immediate action and apply the necessary patches to prevent exploitation of these vulnerabilities. This includes ensuring that all systems are up-to-date with the latest security advisories and taking steps to limit access to sensitive areas of the system.
Furthermore, this incident serves as a reminder of the importance of vigilance in cybersecurity. As threats continue to evolve and become more sophisticated, it is crucial for organizations and individuals alike to stay informed and take proactive measures to protect themselves against potential vulnerabilities.
In conclusion, the discovery of three actively exploited zero-days in VMware ESX products highlights the ongoing threat landscape and the need for swift action in addressing these vulnerabilities. By staying informed and taking proactive measures to secure their systems, organizations can minimize the risk of exploitation and ensure the continued security and integrity of their virtualized environments.
Related Information:
https://www.ethicalhackingnews.com/articles/Three-Actively-Exploited-Zero-Days-in-VMware-ESX-Products-Fixed-by-Broadcom-ehn.shtml
https://securityaffairs.com/174911/security/vmware-fixed-three-actively-exploited-zero-days-in-esx-products.html
https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-22224
https://www.cvedetails.com/cve/CVE-2025-22224/
https://nvd.nist.gov/vuln/detail/CVE-2025-22225
https://www.cvedetails.com/cve/CVE-2025-22225/
https://nvd.nist.gov/vuln/detail/CVE-2025-22226
https://www.cvedetails.com/cve/CVE-2025-22226/
Published: Tue Mar 4 19:15:35 2025 by llama3.2 3B Q4_K_M
