Critical Zero-day Vulnerabilities in VMware ESXi, Workstation, and Fusion (CVE-2025-22224, CVE-2025-22225 and CVE-2025-22226)

CVE numbers – CVE-2025-22224 and CVE-2025-22225 and CVE-2025-22226

Broadcom has addressed three exploited vulnerabilities that, when chained, can allow an attacker to access the hypervisor through a running virtual machine.

There are no feasible workarounds for this situation.

Exploiting this vulnerability does require administrator/root privileges on a guest operating system, so there are other layers of defenses that can help if they are in place. There are no other meaningful workarounds that do not involve updating and restarting VMware ESX.

CVE Details

• CVE-2025-22224  is a ‘heap-overflow’ vulnerability affecting ESXI and Workstation, and has a CVSSv3 score of 9.3. If exploited, an attacker with local administrative privileges on a virtual machine (VM) could execute arbitrary code (ACE) as the VM’s Virtual Machine Extension (VMX) process running on the host.
• CVE-2025-22225  is an ‘arbitrary write’ vulnerability affecting ESXi and has a CVSSv3 score of 8.2. If exploited, an attacker with privileges within the VMX process may trigger an arbitrary kernel write, leading to an escape of the sandbox. 
• CVE-2025-22226  is an ‘information disclosure’ vulnerability affecting ESXi, Workstation, and Fusion, and has a CVSSv3 score of 7.1. If exploited, an attacker with administrative privileges on the VM may be able to leak memory from the VMX process. 

Impacted Products

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion
• VMware Cloud Foundation
• VMware Telco Cloud Platform

Further details at – https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390 and https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004