Broadcom has released security updates to address three actively exploited vulnerabilities in VMware ESXi, Workstation, and Fusion products, which could lead to remote code execution and information disclosure.
The first vulnerability, CVE-2025-22224, has been assigned a critical CVSS score of 9.3 and stems from a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue can result in an out-of-bounds write, enabling an attacker with local administrative privileges on a virtual machine to execute code within the VMX process on the host.
The second vulnerability, CVE-2025-22225, rated 8.2, is associated with arbitrary data writes and may be exploited to escape the virtual machine’s isolated environment.
The third vulnerability, CVE-2025-22226, carries a severity score of 7.1 and allows an attacker with administrative privileges on a virtual machine to read data from the VMX process memory, potentially leading to information leakage.
The following software versions are affected: VMware ESXi 8.0 and 7.0, VMware Workstation 17.x, VMware Fusion 13.x, as well as VMware Cloud Foundation and VMware Telco Cloud. Broadcom has already issued patches to remediate these flaws and strongly urges users to apply them without delay.
The Microsoft Threat Intelligence Center was the first to detect and report these vulnerabilities. Broadcom has acknowledged that the flaws have been exploited in real-world attacks but has not disclosed details regarding the attack methods or the threat actors responsible.
Given the active exploitation of these vulnerabilities in cyberattacks, timely patching remains a critical security measure for VMware users.
