Broadcom Warns of Critical VMware Vulnerabilities Amid Active Exploitation
San Jose, Thursday, 6 March 2025.
Broadcom has urgently advised VMware users to patch three critical vulnerabilities, called ‘ESXicape,’ currently being exploited, emphasizing the high risk of unauthorized system access and data compromise.
Critical Vulnerabilities Unveiled
On March 4, 2025, Broadcom disclosed three critical zero-day vulnerabilities affecting VMware’s core products, including ESXi, Workstation, and Fusion [1]. The most severe vulnerability, CVE-2025-22224, carries a CVSS score of 9.3 and involves a Time-of-Check Time-of-Use (TOCTOU) vulnerability leading to out-of-bounds write [2]. The other two vulnerabilities, CVE-2025-22225 and CVE-2025-22226, rated at 8.2 and 7.1 respectively, enable sandbox escape and information disclosure [2].
Exploitation and Impact
Security experts have emphasized the severe implications of these vulnerabilities. According to Stephen Fewer, principal security researcher at Rapid7, ‘The impact here is huge, an attacker who has compromised a hypervisor can go on to compromise any of the other virtual machines that share the same hypervisor’ [1]. The situation is particularly concerning as these vulnerabilities are already being exploited by an unnamed ransomware group [1]. This development is especially significant given that VMware commands approximately 42.7% of the virtualization market share, with over half of that presence in the U.S. [3].
Technical Details and Attack Vector
The attack methodology requires attackers to first gain administrative access to the system [3]. Once achieved, as explained by Broadcom, ‘This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access could move into the hypervisor itself’ [4]. Security expert Jason Soroko from Sectigo warns that ‘In a worst-case scenario, this breach permits reconfiguration of the hypervisor, lateral movement across systems, exfiltration of sensitive data… effectively compromising the entire virtualized ecosystem’ [3].
Response and Mitigation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating federal agencies to implement patches by March 25, 2025 [2]. Broadcom has released emergency patches and is strongly urging all customers to apply these updates immediately [1]. This incident follows a pattern of VMware-targeted attacks, including the 2024 exploitation of VMware hypervisor flaws by groups deploying Black Basta and LockBit ransomware [1].