CanSSOC advisory: Active exploitation – VMware zero-day vulnerabilities

Published: March 6, 2025

TLP: CLEAR
CanSSOC Threat Assessment [*]: HIGH

Topics on this page:

  1. Summary
  2. Affected products
  3. Unaffected products
  4. Attack details & exploitation
  5. Recommendations
  6. References
  7. Support

Summary:

A critical security alert has been issued regarding active exploitation of zero-day vulnerabilities in VMware products, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 [1]. These vulnerabilities allow attackers with administrative privileges on a virtual machine to escape the VM sandbox and gain unauthorized access to the hypervisor, posing a significant risk to enterprise environments.

Microsoft Threat Intelligence Center first reported these issues, and Broadcom has confirmed their active exploitation in the wild.

Affected products:

  • VMware ESXi
  • VSphere
  • Workstation
  • Fusion
  • Cloud Foundation
  • Telco Cloud Platform

Unaffected products:

  • VMware vCenter
  • SDDC Manager
  • NSX
  • Aria Suite

Attack details & exploitation:

  • CVE-2025-22224 (Critical, CVSS 9.3) – A VCMI heap overflow vulnerability that enables code execution as the VMX process on the host.
  • CVE-2025-22225 (High, CVSS 8.2) – An ESXi arbitrary write flaw allowing sandbox escape via kernel writes.
  • CVE-2025-22226 (Medium, CVSS 7.1) – An HGFS information disclosure vulnerability enabling memory leaks from the VMX process.

Attackers must first gain access to a compromised virtual machine to exploit these vulnerabilities, allowing them to escalate privileges and take control of the hypervisor—a critical threat in multi-tenant cloud environments.

We are asking institutions that have the resources to investigate activity related to these vulnerabilities to do so and report the information back to CanSSOC via your institutional Slack channel or via security@canssoc.canarie.ca.

Recommendations:

  • Apply patches immediately – Install security updates listed in VMware Security Advisory VMSA-2025-0004 [2].
  • Conduct risk assessments – Determine exposure and prioritize patching for internet-facing or critical systems.
  • Monitor for Indicators of Compromise (IOCs) – Review logs for anomalous activity or unauthorized privilege escalation.
  • Enforce access controls – Restrict administrative access and mandate strong authentication for critical systems.
  • Implement network segmentation – Reduce attack surface by limiting lateral movement within virtualized environments.

References:

  1. VMware Zero-Day Vulnerabilities Actively Exploited | SOCRadar
  2. VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities | Broadcom
  3. VMSA-2025-0004: Questions & Answers | Github
  4. CanSSOC Slack channel
  5. Broadcom fixes three VMware zero-days exploited in attacks | Bleeping Computer

Support:

As always, please contact security.response@utoronto.ca if you have any questions or concerns or feel that a device has been compromised by this vulnerability.

Footnotes:

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.

Related articles

CANSSOC advisory

CanSSOC advisory: Vulnerability – Critical Apache Tomcat RCE vulnerability actively exploited

March 20, 2025
CANSSOC advisory

CanSSOC advisory: Vulnerability – Critical Kibana vulnerability exposes systems to code execution

March 6, 2025
Advisory

Critical WordPress plugin vulnerability

November 20, 2024