CVE-2025-22225 is an ESXi arbitrary write vulnerability that allows the VMX process to trigger arbitrary kernel writes, leading to a sandbox escape, while CVE-2025-22226 is described as an HGFS information-disclosure flaw that lets threat actors with admin permissions to leak memory from the VMX process. In January 20204, Broadcom also revealed that Chinese state hackers had exploited a critical vCenter Server vulnerability (CVE-2023-34048) as a zero-day since at least late 2021 to deploy VirtualPita and VirtualPie backdoors on vulnerable ESXi hosts. Broadcom says CVE-2025-22224 is a critical-severity VCMI heap overflow vulnerability that enables local attackers with administrative privileges on the targeted VM to execute code as the VMX process running on the host. Broadcom warned customers today about three VMware zero-days, tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center. The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) impact VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Most recently, Broadcom warned in November that attackers were actively exploiting two VMware vCenter Server vulnerabilities that were patched in September. VMware vulnerabilities are often targeted in attacks by ransomware gangs and state-sponsored hacking groups because they are commonly used in enterprise operations to store or transfer sensitive corporate data. One allows privilege escalation to root (CVE-2024-38813) while the other is a critical remote code execution flaw (CVE-2024-38812) reported during China's 2024 Matrix Cup hacking contest.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 04 Mar 2025 13:25:04 +0000