Broadcom Fixes Three VMware Zero-Days Exploited in Attacks
Broadcom has issued security updates to address three actively exploited zero-day vulnerabilities in VMware products. These flaws, reported by the Microsoft Threat Intelligence Center, impact VMware ESX solutions, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform.
Details of the Vulnerabilities
The vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow attackers with administrative or root access to chain exploits, enabling them to escape the virtual machine's sandbox and gain control over the hypervisor.
Broadcom explains that these vulnerabilities pose a serious risk:
“This is a situation where an attacker who has already compromised a virtual machine's guest OS and gained privileged access (administrator or root) could move into the hypervisor itself. Broadcom has information to suggest that exploitation of these issues has occurred ‘in the wild’.”
Breakdown of the Exploited Flaws
CVE-2025-22224 – A critical-severity VCMI heap overflow vulnerability that allows local attackers with administrative privileges on a targeted VM to execute code as the VMX process running on the host.
CVE-2025-22225 – An ESXi arbitrary write vulnerability that enables the VMX process to perform arbitrary kernel writes, facilitating a sandbox escape.
CVE-2025-22226 – An HGFS information disclosure flaw that allows threat actors with administrative privileges to leak memory from the VMX process.
Growing Threat Against VMware Environments
VMware vulnerabilities have increasingly become prime targets for ransomware groups and state-sponsored attackers due to their widespread use in enterprise environments. These systems often store and manage critical corporate data, making them valuable attack surfaces.
This is not the first time VMware vulnerabilities have been exploited:
November 2024 – Broadcom warned that attackers were actively exploiting two VMware vCenter Server vulnerabilities (CVE-2024-38813 & CVE-2024-38812), which were patched in September.
January 2024 – Broadcom disclosed that Chinese state-backed hackers had exploited CVE-2023-34048 as a zero-day since 2021 to deploy VirtualPita and VirtualPie backdoors on ESXi hosts.
Mitigation and Next Steps
Broadcom urges all VMware users to apply the latest security patches immediately to prevent further exploitation. Administrators should:
Update VMware installations to the latest patched versions.
Restrict administrative access to minimize the risk of privilege escalation.
Monitor system logs for unusual activities indicating potential compromise.
Given the active exploitation of these flaws, organizations using VMware products should prioritize securing their infrastructure to mitigate potential cyber threats.
No comments:
Post a Comment