Today, I’m diving into a critical issue that demands immediate attention for anyone managing VMware environments: VMSA-2025-0004. Released by Broadcom on March 4, 2025, this security advisory highlights severe vulnerabilities in VMware ESXi, Workstation, and Fusion—products that form the backbone of many virtualized infrastructures. Here’s what you need to know and how to respond, especially since patches are not yet available as of this writing.
What is VMSA-2025-0004?
VMSA-2025-0004 addresses multiple vulnerabilities that could allow attackers to compromise VMware’s virtualization platforms. The most alarming of these is CVE-2025-22224, a Time-of-Check Time-of-Use (TOCTOU) vulnerability leading to an out-of-bounds write. Rated as critical with a CVSSv3 score of 9.3, this flaw enables a malicious actor with local administrative privileges on a virtual machine (VM) to execute code as the VMX process on the host. In plain terms, an attacker could break out of the VM and take over the hypervisor, potentially gaining control of the host and all VMs running on it.
The advisory also includes two other significant vulnerabilities:
- CVE-2025-22225: An arbitrary write vulnerability that could allow an attacker to escape the VMX sandbox, rated as important with a CVSSv3 score of 8.2.
- CVE-2025-22226: An information disclosure vulnerability that could leak sensitive memory from the VMX process, with a CVSSv3 score of 7.1.
What escalates the urgency is Broadcom’s confirmation that exploitation of CVE-2025-22224 and CVE-2025-22225 has been observed in the wild. Attackers are already targeting these flaws, making this a pressing threat to unmitigated systems.
Which Products Are Affected?
These vulnerabilities impact a wide range of VMware products, including:
- VMware ESXi: The hypervisor powering many data centers.
- VMware Workstation: Desktop virtualization software for developers and IT professionals.
- VMware Fusion: Virtualization software for macOS users.
This affects environments running VMware vSphere, VMware Cloud Foundation, and VMware Telco Cloud Platform that rely on ESXi, as well as individual users of Workstation and Fusion. Older versions like ESXi 6.7 and 6.5 are also vulnerable, though support considerations may complicate mitigation for those systems.
Why This Matters
Virtualization is a cornerstone of modern IT, enabling efficiency and scalability. But when the hypervisor—the foundation of this technology—is compromised, the fallout can be catastrophic. An attacker who exploits these vulnerabilities could:
- Gain full control of the host system.
- Access sensitive data across all VMs.
- Disrupt critical operations or use the compromised system as a stepping stone for broader network attacks.
With exploitation already happening, the risk is real and immediate. Organizations and individuals relying on these VMware products must act swiftly to protect their environments.
What Should You Do?
As of now, no patches are available for these vulnerabilities, which heightens the need for proactive measures. Here’s how to safeguard your systems:
- Assess Your Environment
Identify which versions of ESXi, Workstation, or Fusion you’re running. Compare them against the affected versions listed in the advisory (available at Broadcom’s support page). If your systems are impacted, they’re at risk. - Monitor for Updates
Broadcom is likely working on patches, so check the advisory page and the VMware VCF Security Guidelines GitHub regularly. When patches are released, apply them immediately—especially for supported versions. For older versions like ESXi 6.5 or 6.7, confirm eligibility with Broadcom, as support may be limited. - Implement Mitigations
While specific workarounds aren’t detailed in the advisory yet, review Broadcom’s supplemental FAQ and other resources for interim guidance. Common mitigation strategies for vulnerabilities like these might include:
- Restricting VM Administrative Access: Limit who has admin privileges on VMs to reduce the attack surface.
- Network Segmentation: Isolate critical VMs and hypervisors to contain potential breaches.
- Enhanced Monitoring: Watch for suspicious activity on hosts and VMs, such as unexpected process execution or memory access attempts.
The Bigger Picture
This advisory underscores a harsh reality: even foundational technologies like VMware’s virtualization platforms aren’t immune to flaws. As solutions architects, we must design with security baked in—but we also need to stay vigilant, adapting to threats as they emerge. Right now, with no patches available and exploitation underway, the priority is containment and preparedness.
If you’re running ESXi, Workstation, or Fusion, don’t delay. Review the advisory, assess your exposure, and take every possible step to mitigate risk. When patches drop, deploy them without hesitation. The stakes—data breaches, operational downtime, or worse—are too high to ignore.
Stay proactive, stay secure.
Update
Please note that patches have now been released to address the vulnerabilities.
Response Matrix:
VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware ESXi | 8.0 | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | ESXi80U3d-24585383 | None | FAQ |
VMware ESXi | 8.0 | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | ESXi80U2d-24585300 | None | FAQ |
VMware ESXi | 7.0 | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | ESXi70U3s-24585291 | None | FAQ |
VMware Workstation | 17.x | Any | CVE-2025-22224, CVE-2025-22226 | 9.3, 7.1 | Critical | 17.6.3 | None | FAQ |
VMware Fusion | 13.x | Any | CVE-2025-22226 | 7.1 | Important | 13.6.3 | None | FAQ |
VMware Cloud Foundation | 5.x | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | Async patch to ESXi80U3d-24585383 | None | Async Patching Guide: KB88287 |
VMware Cloud Foundation | 4.5.x | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | Async patch to ESXi70U3s-24585291 | None | Async Patching Guide: KB88287 |
VMware Telco Cloud Platform | 5.x, 4.x, 3.x, 2.x | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | KB389385 | None | FAQ |
VMware Telco Cloud Infrastructure | 3.x, 2.x | Any | CVE-2025-22224, CVE-2025-22225, CVE-2025-22226 | 9.3, 8.2, 7.1 | Critical | KB389385 | None | FAQ |