Broadcom Patches Actively Exploited Zero-Days in VMware ESXi

Broadcom’s VMware cloud infrastructure division issued updates to patch three actively exploited zero-day vulnerabilities in its ESXi hypervisor operating system, used for deploying and serving virtual computers.

See Also: 5 considerations for effective multi-cloud threat detection

The flaws can be used to perform a virtual machine escape. “This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access – administrator or root – could move into the hypervisor itself,” Broadcom said in a Tuesday security advisory.

All three flaws exist in all supported versions of VMware ESX – aka ESXi – and Workstation, Fusion, Cloud Foundation and Telco Cloud Platform products. Hackers are actively exploiting the flaws, it warned.

Shortly after the advisory appeared, the U.S. Cybersecurity and Infrastructure Security Agency added the flaws to its catalog of known exploited vulnerabilities.

Researchers warned against underestimating the risk posed by the vulnerabilities, which attackers can use to remotely execute code to compromise systems and steal data. “An in-the-wild exploit for RCE hypervisors to escape across every supported – and unsupported – product like this is unprecedented,” said British cybersecurity expert Kevin Beaumont in a post to social platform Mastodon.

“Once you have ESX access, you can access everything on the ESX server – which includes things such as VM data and crucially ESX config and mounted storage,” he said in a blog post. “Using ESX config and mounted network storage, you can traverse the VMware environment.”

In addition, thanks to having escaped the hypervisor, an attacker would be operating in a “black box” environment that is “outside of all security tooling and monitoring,” he said.

The three vulnerabilities, with their severity measured on the Common Vulnerability Scoring System are:

• CVE-2025-22224 (CVSS 9.3): A time-of-check time-of-use vulnerability that an attacker with local administrative privileges could use to execute code via the virtual machine executable, or VMX, process;




• CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability that an attacker with VMX access privileges can use “to trigger an arbitrary kernel write leading to an escape of the sandbox,” said cybersecurity firm Rapid7;
• CVE-2025-22226 (CVSS 7.1): Information disclosure vulnerability if an attacker has admin-level privileges.

“Based on the information in the advisory, it appears that the three vulnerabilities can be chained together,” said Stephen Fewer, principal security researcher at Rapid7, in a blog post.

Ransomware-wielding attackers, among others, continue to target unpatched ESXi systems, oftentimes stealing data and holding it to ransom after encrypting the environment.

Organizations should patch the vulnerabilities as quickly as possible, especially in the grace period currently being offered wherein “there is no known public exploit code for any of the CVEs,” meaning how to exploit the flaws isn’t yet widely known, Rapid7 said. “Nevertheless, given that ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries, Rapid7 recommends applying vendor-supplied fixes on an expedited basis.”

Patch Vulnerabilities via Updates

Broadcom said fixing the flaws requires installing the updates – and in the case of Telco Cloud Platform, installing the updated version of ESXi, which may require updating the underlying product’s license – as well as restarting VMware ESX.

“Exploiting this vulnerability does require administrator/root privileges on a guest operating system, so there are other layers of defenses that can help if they are in place,” Broadcom said. “There are no other meaningful workarounds that do not involve updating and restarting VMware ESX.”

Any organization that already uses vMotion for automatic load balancing can employ it “to relocate virtual machines to alternate hosts while you update, in a ‘rolling reboot’ fashion,” Broadcom said. “Virtual machines that do not use vMotion will need to be powered down during the host restart.”

All currently supported versions of the products appear to have the vulnerabilities, including VMware vSphere 6.7. For any organization that still uses VMware vSphere 6.5, a patch is available if they have paid for extended support. Security experts said organizations should assume that all older versions of ESXi, for which no patches are available, are also vulnerable, including version 5.5.

Recommendation: Hunt for Compromises

Security experts are urging all users of affected VMware software not just to patch but to actively hunt for signs that the vulnerabilities may already have been used against them.

On that front, some experts have criticized VMware’s alert for not going far enough. “As usual, VMware provides patches – but nothing else,” said Florian Roth, vice president of R&D for digital forensic analysis platform Nextron Systems, in a post to LinkedIn. “When zero-days are actively exploited, patching is not enough.”

His advice to users: review if hackers might have already exploited the flaw, and if so, what might now be missing. “If you’re serious about security, you need to perform a compromise assessment and actively search for indicators of compromise,” he said. “You need to determine if attackers already have a foothold in your environment.”

Beaumont said the vulnerabilities are dangerous because they could give attackers access to not just a single, hosted system, but every hosted system inside an organization.

“There are around 500 managed VMware providers who operate as effectively on clouds, allowing SMBs to purchase fully managed VMs, on-demand compute basically,” he said. Compromising one customer’s virtual machine could enable an attacker to compromise every other VM from the MSP.

“This also applies to companies that have built their own private clouds using VMware and use VMware to segregate business units,” he said.