@csoonline.com
//
Three critical zero-day vulnerabilities have been discovered in VMware products, leading to active exploitation in the wild. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, potentially allowing attackers to execute arbitrary code and escalate privileges. Microsoft's Threat Intelligence Center (MSTIC) uncovered the vulnerabilities, and they have since been added to CISA's Known Exploited Vulnerabilities Catalog.
Affected VMware products include ESXi versions 8.0 and 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.5.x, and Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry CVSSv3 scores of 9.3, 8.2, and 7.1 respectively. Organizations using these VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.
Recommended read:
References :
- cyble.com: Three critical zero-day vulnerabilities in VMware products, affecting VMware ESXi, Workstation, and Fusion, were reported as exploited in the wild.
- research.kudelskisecurity.com: Three critical zero-day vulnerabilities found in VMware products were actively being exploited in the wild.
- MSSP feed for Latest: Multiple zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion products were identified and confirmed by VMware, with evidence of active exploitation.
@csoonline.com
//
Three critical zero-day vulnerabilities have been discovered in VMware products, including ESXi, Workstation, and Fusion. Tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, these flaws are actively being exploited in the wild. Microsoft's Threat Intelligence Center (MSTIC) uncovered these vulnerabilities on March 4th. Chaining these three vulnerabilities together allows an attacker to escape a virtual machine and gain access to the ESXi hypervisor.
These vulnerabilities impact a wide range of VMware products, including VMware ESXi, Workstation Pro/Player, Fusion, Cloud Foundation, and Telco Cloud Platform. Successful exploitation could grant attackers unauthorized access to systems, enabling them to execute arbitrary code remotely and escalate privileges. VMware has released patches to address these issues, and CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
Recommended read:
References :
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
- securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
- www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
- research.kudelskisecurity.com: Summary On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected
- www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
- fortiguard.fortinet.com: Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.
- The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild The heap overflow zero-day in the memory unsafe code by Miss Creant Broadcom today pushed out patches for three VMware hypervisor-hijacking bugs, including one rated critical, that have already been found and exploited by criminals.…
- Blog: Key Takeaways Three zero-day vulnerabilities have been discovered in VMware products, tracked as CVE-2025-22224 , CVE-2025-22225 , and CVE-2025-22226 . Nearly all supported and unsupported VMware products are impacted, including VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. Chaining these 3 vulnerabilities together allows an attacker to escape or “break out� of a “child� Virtual Machine (VM), gain access to the “parent� ESXi Hypervisor, and potentially access any other accessible VM as well as gain access to the management network of the exposed VMware cluster.
@csoonline.com
//
Broadcom has issued urgent security patches to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could enable attackers to execute code and disclose sensitive information. VMware ESXi is under active exploitation in the wild, making timely patching crucial to prevent potential attacks. The vulnerabilities impact various versions of VMware ESXi 8.0, 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.x, and Telco Cloud Platform.
The most critical flaw, CVE-2025-22224, boasts a CVSS score of 9.3 and is a heap-overflow vulnerability leading to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine could exploit this to execute code as the virtual machine's VMX process running on the host. Broadcom credited Microsoft's MSTIC security team with discovering and reporting these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.
Recommended read:
References :
- bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
- The Hacker News: Broadcom Releases Urgent Patches
- The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
- www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
- securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
- bsky.app: BleepingComputer article on VMware zero-days.
- Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
- : Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
- securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
- borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
- socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
- Blog: Multiple zero-days in VMware products actively exploited
- gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
- www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
- Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
- www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
- www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
- Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
- techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
- Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
- www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
- MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
- www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
- research.kudelskisecurity.com: Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild
- cyble.com: Three VMware Zero-Days Under Active Exploitation – What You Need to Know
- Zack Whittaker: VMware emergency hypervisor escape bugs under attack
SC Staff@scmagazine.com
//
Ransomware gangs are increasingly using SSH tunneling to maintain stealthy access when targeting VMware ESXi hypervisors. This technique allows attackers to remain undetected while they move laterally within the system and deploy ransomware. Cyber security firm Sygnia's investigation has revealed that after infiltrating ESXi instances by exploiting known vulnerabilities or using stolen administrator credentials, the attackers utilize the built-in SSH service to establish covert pathways for ransomware delivery. The use of SSH tunnels, often configured with remote port-forwarding to the attacker's command-and-control server, creates a semi-persistent backdoor due to the resilience and infrequent shutdowns of ESXi appliances.
This persistent access poses a serious threat to virtualized environments as ransomware can cripple an entire business by encrypting vital virtual machines. Researchers recommend that administrators monitor specific log files, including those tracking ESXi Shell command execution, user authentication, and login attempts to identify potential SSH-based intrusions. They also suggest keeping a close watch on the hostd.log and vodb.log files as key sources of information to detect potential SSH access persistence. This is critical in an effort to detect and mitigate these sophisticated attacks.
Recommended read:
References :
- BleepingComputer: Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected.
- securityaffairs.com: Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.
- www.scworld.com: Covert VMware ESXI-targeted ransomware hack facilitated by SSH tunneling
- www.bleepingcomputer.com: Ransomware gang uses SSH tunnels for stealthy VMware ESXi access
- ciso2ciso.com: ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- www.sygnia.co: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- Pyrzout :vm:: ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- Virus Bulletin: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- ciso2ciso.com: Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations – Source:thehackernews.com
|
|
FlagThis - #esxi