Broadcom issued a warning today regarding three newly discovered VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), which have been actively exploited in attacks. These vulnerabilities, identified by the Microsoft Threat Intelligence Center, impact multiple VMware products, including ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
According to Broadcom, attackers with administrative or root privileges can exploit these flaws to escape a virtual machine’s sandbox. “An attacker who has already compromised a guest operating system and obtained privileged access could escalate the attack to the hypervisor itself,” the company explained. Broadcom also confirmed evidence of in-the-wild exploitation.
Among the reported vulnerabilities, CVE-2025-22224 is classified as a critical VCMI heap overflow flaw, allowing local attackers with administrative access to execute code as the VMX process runs on the host. CVE-2025-22225 is an ESXi arbitrary write vulnerability, enabling the VMX process to perform unauthorized kernel writes, potentially leading to a sandbox escape. Meanwhile, CVE-2025-22226 is an HGFS information disclosure flaw that allows attackers with admin permissions to leak memory from the VMX process.
VMware products are frequent targets for ransomware groups and state-sponsored hackers due to their widespread use in enterprise environments for storing and transferring sensitive corporate data.
This is not the first instance of active VMware exploits. In November, Broadcom warned of attackers exploiting two VMware vCenter Server vulnerabilities patched in September—CVE-2024-38813, which allows privilege escalation to root, and CVE-2024-38812, a critical remote code execution flaw discovered during China’s 2024 Matrix Cup hacking competition.
Additionally, in January 2024, Broadcom disclosed that Chinese state-sponsored hackers had been exploiting a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021. This flaw was used to deploy VirtualPita and VirtualPie backdoors on vulnerable ESXi hosts.
