CyberSecurity news

FlagThis - #vmware

@support.broadcom.com //

VMware Tools Flaw Allows VM Tampering Urgent Patch - A moderate-severity vulnerability (CVE-2025-22247) in VMware Tools could allow attackers with limited access to a guest VM to tamper with local files, leading to unauthorized actions.
Broadcom has issued an urgent patch to address a moderate-severity vulnerability, CVE-2025-22247, affecting VMware Tools versions 11.x.x and 12.x.x. The flaw, characterized as an insecure file handling vulnerability, could be exploited by attackers with limited access within a guest virtual machine (VM). This could allow them to tamper with local files and trigger insecure file operations, potentially leading to further security breaches within the virtual environment. The vulnerability impacts VMware Tools running on Windows and Linux operating systems, while macOS is reportedly unaffected.

Broadcom's security advisory highlights that VMware Tools contains this insecure file handling vulnerability which can be exploited by an attacker with non-administrative privileges within a guest VM. The successful exploitation of CVE-2025-22247 could allow the attacker to tamper with local files, leading to unauthorized actions. VMware has released VMware Tools version 12.5.2 to remediate this vulnerability. For Windows 32-bit systems, the fix is included in VMware Tools 12.4.7, also part of the 12.5.2 release.

For Linux systems, the advisory notes that updates addressing CVE-2025-22247 will be distributed by individual Linux vendors. It is crucial for Linux users to stay informed about updates from their respective distribution vendors. System administrators are urged to take immediate action by updating to the latest versions of VMware Tools to mitigate the risks associated with this vulnerability. Sergey Bliznyuk of Positive Technologies has been credited for reporting the vulnerability.

Recommended read:
References :
  • securityonline.info: VMware Tools Update Addresses Insecure File Handling Vulnerability
  • Open Source Security: Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools
  • thecyberexpress.com: New VMware Tools Vulnerability Allows Attackers to Tamper with Virtual Machines, Broadcom Issues Urgent Patch
  • securityonline.info: VMware Tools Update Addresses Insecure File Handling Vulnerability
  • Rescana: Patch Now: Secure VMware Tools from Insecure File Handling Vulnerability CVE-2025-22247
  • Open Source Security: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools
Pierluigi Paganini@Security Affairs //

VMware Windows Tools Authentication Bypass Vulnerability - Broadcom addressed a high-severity authentication bypass vulnerability, CVE-2025-22230, in VMware Tools for Windows due to improper access control, allowing non-administrative users to perform high-privilege operations; security updates are available.
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.

Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.

Recommended read:
References :
  • securityaffairs.com: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
  • securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
  • The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
  • thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
  • www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
  • BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
  • www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
  • Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
  • Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
  • securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
@csoonline.com //

Active Exploitation of Critical VMware Zero-Day Vulnerabilities - Three critical zero-day vulnerabilities in VMware products were exploited in the wild, potentially allowing attackers to execute arbitrary code and escalate privileges.
Three critical zero-day vulnerabilities have been discovered in VMware products, leading to active exploitation in the wild. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, potentially allowing attackers to execute arbitrary code and escalate privileges. Microsoft's Threat Intelligence Center (MSTIC) uncovered the vulnerabilities, and they have since been added to CISA's Known Exploited Vulnerabilities Catalog.

Affected VMware products include ESXi versions 8.0 and 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.5.x, and Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry CVSSv3 scores of 9.3, 8.2, and 7.1 respectively. Organizations using these VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.

Recommended read:
References :
  • cyble.com: Three critical zero-day vulnerabilities in VMware products, affecting VMware ESXi, Workstation, and Fusion, were reported as exploited in the wild.
  • research.kudelskisecurity.com: Three critical zero-day vulnerabilities found in VMware products were actively being exploited in the wild.
  • MSSP feed for Latest: Multiple zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion products were identified and confirmed by VMware, with evidence of active exploitation.
@csoonline.com //

VMware Zero-Day Exploits Lead to Hypervisor Escape - Three zero-day vulnerabilities in VMware ESXi, Workstation, and Fusion products are under active exploitation, allowing attackers to escape the VM and gain access to the ESXi hypervisor.
Three critical zero-day vulnerabilities have been discovered in VMware products, including ESXi, Workstation, and Fusion. Tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, these flaws are actively being exploited in the wild. Microsoft's Threat Intelligence Center (MSTIC) uncovered these vulnerabilities on March 4th. Chaining these three vulnerabilities together allows an attacker to escape a virtual machine and gain access to the ESXi hypervisor.

These vulnerabilities impact a wide range of VMware products, including VMware ESXi, Workstation Pro/Player, Fusion, Cloud Foundation, and Telco Cloud Platform. Successful exploitation could grant attackers unauthorized access to systems, enabling them to execute arbitrary code remotely and escalate privileges. VMware has released patches to address these issues, and CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate patching.

Recommended read:
References :
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
  • research.kudelskisecurity.com: Summary On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • fortiguard.fortinet.com: Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild The heap overflow zero-day in the memory unsafe code by Miss Creant Broadcom today pushed out patches for three VMware hypervisor-hijacking bugs, including one rated critical, that have already been found and exploited by criminals.…
  • Blog: Key Takeaways Three zero-day vulnerabilities have been discovered in VMware products, tracked as CVE-2025-22224 , CVE-2025-22225 , and CVE-2025-22226 . Nearly all supported and unsupported VMware products are impacted, including VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. Chaining these 3 vulnerabilities together allows an attacker to escape or “break outâ€� of a “childâ€� Virtual Machine (VM), gain access to the “parentâ€� ESXi Hypervisor, and potentially access any other accessible VM as well as gain access to the management network of the exposed VMware cluster.
@csoonline.com //

VMware ESXi Patches Address Actively Exploited Flaws - Broadcom released urgent security patches for VMware ESXi, Workstation, and Fusion products due to actively exploited vulnerabilities allowing code execution and information disclosure.
Broadcom has issued urgent security patches to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could enable attackers to execute code and disclose sensitive information. VMware ESXi is under active exploitation in the wild, making timely patching crucial to prevent potential attacks. The vulnerabilities impact various versions of VMware ESXi 8.0, 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.x, and Telco Cloud Platform.

The most critical flaw, CVE-2025-22224, boasts a CVSS score of 9.3 and is a heap-overflow vulnerability leading to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine could exploit this to execute code as the virtual machine's VMX process running on the host. Broadcom credited Microsoft's MSTIC security team with discovering and reporting these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.

Recommended read:
References :
  • bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
  • The Hacker News: Broadcom Releases Urgent Patches
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • bsky.app: BleepingComputer article on VMware zero-days.
  • Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
  • The Record: Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
  • securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
  • borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
  • socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • Blog: Multiple zero-days in VMware products actively exploited
  • gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
  • www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
  • www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
  • Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
  • techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
  • Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
  • www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
  • MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
  • www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
  • research.kudelskisecurity.com: Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild
  • cyble.com: Three VMware Zero-Days Under Active Exploitation – What You Need to Know
  • Zack Whittaker: VMware emergency hypervisor escape bugs under attack

Posts

Blogs

Research Tools