Broadcom has launched safety updates to deal with 3 actively exploited safety flaws in VMware ESXi, Workstation, and Fusion merchandise that might result in code execution and data disclosure.
The listing of vulnerabilities is as follows –
- CVE-2025-22224 (CVSS rating: 9.3) – A Time-of-Test Time-of-Use (TOCTOU) vulnerability that ends up in an out-of-bounds write, which a malicious actor with native administrative privileges on a digital gadget may just exploit to execute code because the digital gadget’s VMX procedure operating at the host
- CVE-2025-22225 (CVSS rating: 8.2) – An arbitrary write vulnerability {that a} malicious actor with privileges throughout the VMX procedure may just exploit to lead to a sandbox get away
- CVE-2025-22226 (CVSS rating: 7.1) – A data disclosure vulnerability because of an out-of-bounds learn in HGFS {that a} malicious actor with administrative privileges to a digital gadget may just exploit to leak reminiscence from the vmx procedure
The shortcomings affect the beneath variations –
- VMware ESXi 8.0 – Fastened in ESXi80U3d-24585383, ESXi80U2d-24585300
- VMware ESXi 7.0 – Fastened in ESXi70U3s-24585291
- VMware Workstation 17.x – Fastened in 17.6.3
- VMware Fusion 13.x – Fastened in 13.6.3
- VMware Cloud Basis 5.x – Async patch to ESXi80U3d-24585383
- VMware Cloud Basis 4.x – Async patch to ESXi70U3s-24585291
- VMware Telco Cloud Platform 5.x, 4.x, 3.x, 2.x – Fastened in ESXi 7.0U3s, ESXi 8.0U2d, and ESXi 8.0U3d
- VMware Telco Cloud Infrastructure 3.x, 2.x – Fastened in ESXi 7.0U3s
In a separate FAQ, Broadcom stated that it has “data to signify that exploitation of those problems has befell ‘within the wild,’ but it surely didn’t elaborate at the nature of the assaults or the id of the danger actors that experience weaponized them.
The virtualization products and services supplier credited the Microsoft Risk Intelligence Middle for locating and reporting the insects. In mild of lively exploitation, you should that customers observe the most recent patches for optimum coverage.