CVE-2025-22226

medium

Description

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. A malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process.

From the Tenable Blog

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited

Published: 2025-03-04

Broadcom published an advisory for three flaws in several VMware products that were exploited in the wild as zero-days. Organizations are advised to apply the available patches.

References

https://securityaffairs.com/175858/security/authentication-bypass-cve-2025-22230-in-vmware-tools-for-windows.html

https://www.bleepingcomputer.com/news/security/broadcom-warns-of-authentication-bypass-in-vmware-windows-tools/

https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-02

https://www.securityweek.com/exploited-vmware-esxi-flaws-put-many-at-risk-of-ransomware-other-attacks/

https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/

https://cloud.google.com/support/bulletins/index#gcp-2025-011

https://www.databreachtoday.com/broadcom-patches-actively-exploited-zero-days-in-vmware-esxi-a-27647

https://www.theregister.com/2025/03/04/vmware_plugs_three_hypervisorhijack_holes/

https://www.tenable.com/blog/cve-2025-22224-cve-2025-22225-cve-2025-22226-zero-day-vulnerabilities-in-vmware-esxi

https://www.securityweek.com/broadcom-patches-3-vmware-zero-days-exploited-in-the-wild/

https://www.infosecurity-magazine.com/news/vmware-patch-exploited-zero-day/

https://www.darkreading.com/vulnerabilities-threats/vmware-zero-day-bugs-sandbox-escape

https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog

https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/

https://therecord.media/vmware-exploited-vulnerabilities-esxi-workstation-fusion

https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html

https://arstechnica.com/security/2025/03/vmware-patches-3-critical-vulnerabilities-in-multiple-product-lines/

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

Details

Source: Mitre, NVD

Published: 2025-03-04

Updated: 2025-03-05

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Severity: Medium