VMware ESXi gets critical patches for in-the-wild virtual machine escape attack

Broadcom released emergency patches for its VMware ESXi, Workstation, and Fusion products to fix three vulnerabilities that can lead to virtual machine escape and are actively being exploited by attackers. Products that include VMware ESXi, such as VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform, are also impacted.

VMware products, especially the ESXi enterprise hypervisor, are high-value targets and have been repeatedly attacked by cybercriminal and cyberespionage groups over the years. Hypervisors, or virtual machine monitors, are the virtualization software used to create and run virtual machines.

Virtual machine escapes, in which an attacker with access to a guest VM can take over the entire host server, are the most serious hypervisor attacks because they violate the core security principle that virtualization is supposed to offer: complete isolation between guest operating systems and the host OS.

The three vulnerabilities that make up this exploit chain were reported to Broadcom by Microsoft Threat Intelligence Center, a team whose main task is to track threat actors and attacks. Broadcom said it received information to suggest exploitation of these flaws has occurred in the wild.

All three flaws impact VMware ESXi as well as the enterprise solutions built on it, but two flaws also impact the VMware Workstation Pro hypervisor for Windows and Linux and one affects the VMware Fusion hypervisor for macOS.

Memory bugs chained together

The first vulnerability, tracked as CVE-2025-22224, is located in the Virtual Machine Communication Interface (VMCI), a device that is present in all VMware VMs and handles interprocess socket-based communication.

Broadcom describes this flaw as a TOCTOU (time-of-check time-of-use) vulnerability that can cause an out-of-bounds memory write leading to a heap overflow. The flaw affects ESXi and Workstation and can be exploited by an attacker with administrator privileges in a guest VM to execute arbitrary code in the context of the VMX process on the host. Because of this, it is rated with a 9.3 (critical) severity score on the CVSS scale.

The second vulnerability, CVE-2025-22225, is an arbitrary write vulnerability that impacts ESXi and can enable an attacker with privileges in the sandboxed VMX process — like the ones provided by the first vulnerability — to write in the kernel memory. This is essentially a privilege escalation leading to a sandbox escape. The flaw is rated with an 8.2 (high) severity score.

The third vulnerability, CVE-2025-22226, is an out-of-bounds memory read in the HGFS component that can lead to information disclosure. Attackers with administrative privileges in a VM can exploit this flaw to leak memory from the VMX process. The vulnerability impacts VMware ESXi, Workstation, and Fusion and has a severity score of 7.1 (high).

Remediation

There are no feasible workarounds for these vulnerabilities except for deploying the released patches. VMware ESXi customers can install VMware ESXi 8.0 Update 3d, VMware ESXi 8.0 Update 2d, or VMware ESXi 7.0 Update 3s, depending on their edition. ESX 6.5 and 6.7 have also released patches, but these are available only to customers with extended support contracts.

“Broadcom recommends the use of vMotion to relocate virtual machines to alternate hosts while you update, in a ‘rolling reboot’ fashion,” the company said in an FAQ document. “Virtual machines that do not use vMotion will need to be powered down during the host restart.”

Companies running VMware vSphere (7.x and 8.x), VMware Cloud Foundation (4.5.x and 5.x), VMware Telco Cloud Platform (2.x through 5.x), and VMware Telco Cloud Infrastructure (2.x and 3.x) should deploy the ESXi patches that correspond to the edition included in their products. Broadcom has provided individual support documents with instructions for these products in its advisory.

VMware Workstation 17.x users should upgrade to 17.6.3 and VMware Fusion 13.x users should upgrade to version 13.6.3.