{"uuid": "f5e26632-2e27-44d4-8620-cfc829f6488a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226)", "description": "Ref: [https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390)\n\n# Impacted Products\n\n    VMware ESXi\n    VMware Workstation Pro / Player (Workstation)\n    VMware Fusion\n    VMware Cloud Foundation\n    VMware Telco Cloud Platform\n\n## Introduction\n\nMultiple vulnerabilities in VMware ESXi, Workstation, and Fusion were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products. \n3a. VMCI heap-overflow vulnerability (CVE-2025-22224) \n\nDescription: \nVMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3.\n\nKnown Attack Vectors:\nA malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. \n\nResolution: \nTo remediate CVE-2025-22224 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.\n\nWorkarounds:\nNone.\n\nAdditional Documentation:\nA supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004\n\nAcknowledgements:\nVMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.\n\nNotes:\nVMware by Broadcom has information to suggest that exploitation of CVE-2025-22224 has occurred in the wild.\n3b. VMware ESXi arbitrary write vulnerability (CVE-2025-22225) \n\nDescription: \nVMware ESXi contains an arbitrary write vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.2.\n\nKnown Attack Vectors:\nA malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.\n\nResolution: \nTo remediate CVE-2025-22225 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.\n\nWorkarounds:\nNone.\n\nAdditional Documentation:\nA supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004\n\nAcknowledgements:\nVMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.\n\nNotes:\nVMware by Broadcom has information to suggest that exploitation of CVE-2025-22225 has occurred in the wild.\n3c. HGFS information-disclosure vulnerability (CVE-2025-22226)\n\nDescription: \nVMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability due to an out-of-bounds read in HGFS. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.\n\nKnown Attack Vectors:\nA malicious actor with administrative privileges to a virtual machine may be able to exploit this issue to leak memory from the vmx process. \n\nResolution: \nTo remediate CVE-2025-22226 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.\n\nWorkarounds:\nNone.\n\nAdditional Documentation:\nA supplemental FAQ was created for clarification. Please see: https://brcm.tech/vmsa-2025-0004\n\nAcknowledgements:\nVMware would like to thank Microsoft Threat Intelligence Center for reporting this issue to us.\n\nNotes:\nVMware by Broadcom has information to suggest that exploitation of CVE-2025-22226 has occurred in the wild.", "creation_timestamp": "2025-03-04T15:17:20.591694+00:00", "timestamp": "2025-03-04T15:17:46.991928+00:00", "related_vulnerabilities": ["CVE-2025-22225", "CVE-2025-22224", "CVE-2025-22226"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}