Related Coverage

• VMSA-2025-0004: Questions & Answers VMware on GitHub
• 37K+ VMware ESXi instances vulnerable to critical zero-day Cybersecurity Dive · Rob Wright
• Use one Virtual Machine to own them all — active exploitation of VMware ESX hypervisor escape ESXicape DoublePulsar · Kevin Beaumont
• Issue date:  —  2025-03-04 (Initial Advisory)  —  CVE(s)  —  CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 Broadcom support portal
• Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products Rapid7 · Stephen Fewer
• Threat posed by new VMware hyperjacking vulnerabilities is hard to overstate Ars Technica · Dan Goodin
• Broadcom urges VMware customers to patch ‘emergency’ zero-day bugs under active exploitation TechCrunch · Carly Page
• 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion Born's Tech and Windows World · Guenni
• 41,500+ VMware ESXi Instances Vulnerable to Code Execution Attacks Cyber Security News · Guru Baran
• VMware Security Flaws Exploited in the Wild—Broadcom Releases Urgent Patches The Hacker News
• 3 VMware Zero-Day Bugs Allow Sandbox Escape Dark Reading · Jai Vijayan
• VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) SOCRadar® Cyber Intelligence Inc.
• Broadcom Patches 3 VMware Zero-Days Exploited In The Wild SecurityWeek · Eduard Kovacs
• Three Actively-Exploited VMware Bugs Addressed By Broadcom ChannelE2E
• VMware ESXi & Workstation & Fusion Multiple High-risk Vulnerabilities (CVE-2025-22224/CVE-2025-22225/CVE- 2025-22226) Security Boulevard
• VMware splats guest-to-hypervisor escape bugs already exploited in wild The Register · Jessica Lyons
• Patched VMware Zero Days Exploited, Pose ‘Serious’ Risk Channel Futures · Edward Gately
• VMware Warns Customers to Patch Actively Exploited Zero-Day Vulnerabilities Infosecurity · James Coker
• VMware ESXi gets critical patches for in-the-wild virtual machine escape attack CSO · Lucian Constantin
• CISA, VMware warn of new vulnerabilities being exploited by hackers The Record · Jonathan Greig
• U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog Security Affairs · Pierluigi Paganini
• VMware flaws exploited in the wild; Broadcom releases patches SC Media · Steve Zurier
• CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited Security Boulevard · Satnam Narang
• Broadcom reports multiple actively exploited zero-days in several VMware ESXi products Cyber Daily · David Hollingworth
• Broadcom releases fixes for multiple VMware security flaws TechRadar
• VMware ESXi Vulnerabilities Exploited in Wild to Execute Malicious Code Cyber Security News · Guru Baran
• VMware fixed three actively exploited zero-days in ESX products Security Affairs · Pierluigi Paganini
• CISA Warns of Actively Exploited VMware Vulnerabilities, Urges Immediate Patching Cyber Security News · Guru Baran
• We are scanning & reporting out VMware ESXi CVE-2025-22224 vulnerable instances ("a malicious actor with local admin privileges on a virtual machine may exploit this to execute code as virtual machine's VMX process running on host").  —  Nearly 41.5K found vulnerable on 2025-03-04. … @shadowserver@infosec.exchange
• @dangoodin say if it was Azure and it was a HyperV escape (different product), you'd be able to use any Azure customer to compromise everybody on Azure.  That's why MS pays very well for HyperV escapes.  —  With this vuln you'd be able to use it to traverse VMware managed hosting providers, private clouds orgs have built on prem etc. … @GossiTheDog@cyberplace.social · Kevin Beaumont
• VMware have set the Attack Vector to Local, which brings down the CVSS score - but you don't need to be locally at a VM to do the attack, you can do it over the internet if you have access to any VM.  —  If you change it to Network, you get 10  —  [images] @GossiTheDog@cyberplace.social · Kevin Beaumont
• @dangoodin @GossiTheDog  —  Given hypervisors will often have multiple customers/projects/security zones on, this class of vulnerability is very bad news.  —  A customer doing a bad job of securing just one VM puts every other VM on that hypervisor at risk as long as there is a VM escape vuln in the hypervisor. @interpipes@thx.gg
• Quick mspaint.exe diagram on this, calling it ESXicape  — Have access to something like a Windows 11 Virtual Desktop system in VMware, or a Linux box or some such?  — Use ESXicape, a chain of three zero days, to gain access to the ESXi Hypervisor. … @GossiTheDog@cyberplace.social · Kevin Beaumont
• 3 different VMware zero days, under active exploitation by ransomware groups  —  CVE-2025-22224, CVE-2025-22225, CVE-2025-22226  —  VMware ESXi  —  VMware Workstation Pro / Player (Workstation)  —  VMware Fusion  —  VMware Cloud Foundation  —  VMware Telco Cloud Platform … @GossiTheDog@cyberplace.social · Kevin Beaumont
• “[..] this is being actively exploited in the wild.  —  Once you have ESX access, you can access everything on the ESX server … Tomasz Kruk