Pierluigi Paganini@Security Affairs
//
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.
Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.
Recommended read:
References :
- securityaffairs.com: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
- securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
- The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
- thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
- www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
- BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
- www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
- Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
- Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
- securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
@csoonline.com
//
Three critical zero-day vulnerabilities have been discovered in VMware products, leading to active exploitation in the wild. The vulnerabilities affect VMware ESXi, Workstation, and Fusion, potentially allowing attackers to execute arbitrary code and escalate privileges. Microsoft's Threat Intelligence Center (MSTIC) uncovered the vulnerabilities, and they have since been added to CISA's Known Exploited Vulnerabilities Catalog.
Affected VMware products include ESXi versions 8.0 and 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.5.x, and Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x. The vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, carry CVSSv3 scores of 9.3, 8.2, and 7.1 respectively. Organizations using these VMware products are strongly advised to apply the available patches immediately to mitigate the risks associated with these flaws.
Recommended read:
References :
- cyble.com: Three critical zero-day vulnerabilities in VMware products, affecting VMware ESXi, Workstation, and Fusion, were reported as exploited in the wild.
- research.kudelskisecurity.com: Three critical zero-day vulnerabilities found in VMware products were actively being exploited in the wild.
- MSSP feed for Latest: Multiple zero-day vulnerabilities in VMware's ESXi, Workstation, and Fusion products were identified and confirmed by VMware, with evidence of active exploitation.
@csoonline.com
//
Three critical zero-day vulnerabilities have been discovered in VMware products, including ESXi, Workstation, and Fusion. Tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, these flaws are actively being exploited in the wild. Microsoft's Threat Intelligence Center (MSTIC) uncovered these vulnerabilities on March 4th. Chaining these three vulnerabilities together allows an attacker to escape a virtual machine and gain access to the ESXi hypervisor.
These vulnerabilities impact a wide range of VMware products, including VMware ESXi, Workstation Pro/Player, Fusion, Cloud Foundation, and Telco Cloud Platform. Successful exploitation could grant attackers unauthorized access to systems, enabling them to execute arbitrary code remotely and escalate privileges. VMware has released patches to address these issues, and CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging immediate patching.
Recommended read:
References :
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom.
- securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
- www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack.
- research.kudelskisecurity.com: Summary On March 4th, Microsoft’s Threat Intelligence Center (MSTIC) uncovered three critical vulnerabilities in VMware products that are being actively exploited in the wild. Affected
- www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
- fortiguard.fortinet.com: Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.
- The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild The heap overflow zero-day in the memory unsafe code by Miss Creant Broadcom today pushed out patches for three VMware hypervisor-hijacking bugs, including one rated critical, that have already been found and exploited by criminals.…
- Blog: Key Takeaways Three zero-day vulnerabilities have been discovered in VMware products, tracked as CVE-2025-22224 , CVE-2025-22225 , and CVE-2025-22226 . Nearly all supported and unsupported VMware products are impacted, including VMware ESXi, VMware Workstation Pro / Player (Workstation), VMware Fusion, VMware Cloud Foundation, and VMware Telco Cloud Platform. Chaining these 3 vulnerabilities together allows an attacker to escape or “break out� of a “child� Virtual Machine (VM), gain access to the “parent� ESXi Hypervisor, and potentially access any other accessible VM as well as gain access to the management network of the exposed VMware cluster.
@csoonline.com
//
Broadcom has issued urgent security patches to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could enable attackers to execute code and disclose sensitive information. VMware ESXi is under active exploitation in the wild, making timely patching crucial to prevent potential attacks. The vulnerabilities impact various versions of VMware ESXi 8.0, 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.x, and Telco Cloud Platform.
The most critical flaw, CVE-2025-22224, boasts a CVSS score of 9.3 and is a heap-overflow vulnerability leading to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine could exploit this to execute code as the virtual machine's VMX process running on the host. Broadcom credited Microsoft's MSTIC security team with discovering and reporting these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.
Recommended read:
References :
- bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
- The Hacker News: Broadcom Releases Urgent Patches
- The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
- www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
- securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
- bsky.app: BleepingComputer article on VMware zero-days.
- Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
- : Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
- securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
- borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
- socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
- Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
- Blog: Multiple zero-days in VMware products actively exploited
- gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
- www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
- Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
- www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
- www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
- Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
- techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
- Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
- www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
- MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
- www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
- research.kudelskisecurity.com: Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild
- cyble.com: Three VMware Zero-Days Under Active Exploitation – What You Need to Know
- Zack Whittaker: VMware emergency hypervisor escape bugs under attack
@www.heise.de
//
A critical blind SQL injection vulnerability, identified as CVE-2025-22217, has been discovered in the VMware Avi Load Balancer. This flaw allows attackers with network access to send specially crafted SQL queries, potentially gaining unauthorized access to the underlying database. The vulnerability poses a significant risk, enabling attackers to bypass authentication and directly access sensitive information stored within the database. This access could lead to substantial data breaches and system compromise, making it a major concern for organizations using Avi Load Balancer.
The vulnerability, which scores 8.6 on the CVSS scale, stems from insufficient input validation, allowing for the injection of arbitrary SQL code. Broadcom, the vendor, urges users to apply the necessary patches immediately, as no workarounds are available. The affected versions are primarily within the 30.x range; specifically 30.1.1, 30.1.2, 30.2.1 and 30.2.2 all require patching. It is also important that if you are running 30.1.1 you MUST upgrade to at least 30.1.2 before applying the patch to resolve this issue. Versions 22.x and 21.x are not susceptible to this particular flaw.
Recommended read:
References :
- securityaffairs.com: VMware fixed a flaw in Avi Load Balancer
- : CVE-2025-22217: (VMware Avi Load Balancer: High)
- The Hacker News: Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer
- www.heise.de: VMware: High-risk SQL injection vulnerability compromises Avi Load Balancer
- heise online English: VMware: High-risk SQL injection vulnerability compromises Avi Load Balancer
- securityonline.info: VMware Avi Load Balancer Flaw (CVE-2025-22217) Exposes Networks to Blind SQLi Attacks
- securityonline.info: VMware Avi Load Balancer Flaw (CVE-2025-22217) Exposes Networks to Blind SQLi Attacks
- Security Risk Advisors: Critical SQL Injection Vulnerability Threatens VMware Avi Load Balancer Security
- support.broadcom.com: Critical SQL Injection Vulnerability Threatens VMware Avi Load Balancer Security
SC Staff@scmagazine.com
//
Ransomware gangs are increasingly using SSH tunneling to maintain stealthy access when targeting VMware ESXi hypervisors. This technique allows attackers to remain undetected while they move laterally within the system and deploy ransomware. Cyber security firm Sygnia's investigation has revealed that after infiltrating ESXi instances by exploiting known vulnerabilities or using stolen administrator credentials, the attackers utilize the built-in SSH service to establish covert pathways for ransomware delivery. The use of SSH tunnels, often configured with remote port-forwarding to the attacker's command-and-control server, creates a semi-persistent backdoor due to the resilience and infrequent shutdowns of ESXi appliances.
This persistent access poses a serious threat to virtualized environments as ransomware can cripple an entire business by encrypting vital virtual machines. Researchers recommend that administrators monitor specific log files, including those tracking ESXi Shell command execution, user authentication, and login attempts to identify potential SSH-based intrusions. They also suggest keeping a close watch on the hostd.log and vodb.log files as key sources of information to detect potential SSH access persistence. This is critical in an effort to detect and mitigate these sophisticated attacks.
Recommended read:
References :
- BleepingComputer: Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected.
- securityaffairs.com: Threat actors behind ESXi ransomware attacks target virtualized environments using SSH tunneling to avoid detection.
- www.scworld.com: Covert VMware ESXI-targeted ransomware hack facilitated by SSH tunneling
- www.bleepingcomputer.com: Ransomware gang uses SSH tunnels for stealthy VMware ESXi access
- ciso2ciso.com: ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- www.sygnia.co: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- Pyrzout :vm:: ESXi ransomware attacks use SSH tunnels to avoid detection – Source: securityaffairs.com
- Virus Bulletin: Sygnia’s Zhongyuan Hau (Aaron) & Ren Jie Yow show how ransomware threat actors use SSH tunneling between their C2 servers and the compromised environment for persistence.
- ciso2ciso.com: Ransomware Targets ESXi Systems via Stealthy SSH Tunnels for C2 Operations – Source:thehackernews.com
|
|
FlagThis - #vmware