VMware ESXi, Workstation, and Fusion Vulnerabilities Pose Active Threat (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

by | Mar 12, 2025 | General, Security

Critical VMWare Vulnerabilities Under Active Exploitation (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)

Advisory ID: VMSA-2025-0004
Severity: Critical
CVSSv3 Range: 7.1 – 9.3
Issue Date: March 4, 2025
CISA KEV Inclusion: Yes

Summary

Newly disclosed zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion are being actively exploited, putting virtual environments at serious risk. These critical vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) could allow attackers to execute code, escape sandboxes, and access sensitive data. CISA has classified this as an emergency, adding it to the Known Exploited Vulnerabilities (KEV) Catalog, and delaying patches leaves systems vulnerable to attack. Organizations must apply patches immediately, no later than March 25, to prevent exploitation.

Who is Affected?

Organizations using unpatched versions of these products are at immediate risk and must take action.

Disabling VMware Tools does not eliminate the risk, as attackers with privileged access can re-enable it. Organizations unsure about their ESX version should assume vulnerability and update immediately.

Xiologix is actively working with our managed services clients to address these vulnerabilities. If your systems are affected, we strongly encourage you to apply the necessary patches or reach out to our team for assistance.

Impacted Products

  • VMware ESXi
  • VMware Workstation Pro / Player
  • VMware Fusion
  • VMware Cloud Foundation
  • VMware Telco Cloud Platform

Vulnerability Details

  • CVE-2025-22224: VMCI Heap-Overflow Vulnerability
     Classified as critical with a CVSS score of 9.3, this vulnerability exists in VMware ESXi and Workstation due to a Time-of-Check Time-of-Use (TOCTOU) flaw, which can cause an out-of-bounds write. An attacker with local admin rights on a virtual machine could exploit this issue to execute code within the VMX process on the host.

  • CVE-2025-22225: VMware ESXi Arbitrary Write Vulnerability
     Rated as important with a CVSS score of 8.2, this vulnerability affects VMware ESXi and involves an arbitrary write issue. Attackers with access to the VMX process could manipulate kernel memory, leading to sandbox escape and potential further compromise.

  • CVE-2025-22226: HGFS Information Disclosure Vulnerability
     With an important severity rating and a CVSS score of 7.1, this vulnerability is linked to an out-of-bounds read in HGFS, affecting VMware ESXi, Workstation, and Fusion. Attackers with administrative privileges on a virtual machine could exploit this flaw to access memory from the VMX process.

Affected Versions & Patching

Users must update to the following versions to mitigate risk:

  • VMware ESXi 7.0 → Patch ESXi70U3s-24585291
  • VMware ESXi 8.0 2D → Patch ESXi80U2d-24585300
  • VMware ESXi 8.0 3D → Patch ESXi80U3d-24585383
  • VMware Fusion 13.xUpdate to 13.6.3
  • VMware Workstation 17.xUpdate to 17.6.3

Action Required

Immediate patching is strongly recommended to mitigate these vulnerabilities. A recent scan identified over 409,000 exposed VMware instances, highlighting the urgency of this issue. Organizations should assess their exposure and take prompt action.

For full details and patching guidance, refer to the VMware Advisory VMSA-2025-0004.