Broadcom Addresses Actively Exploited Zero-Day Vulnerabilities in VMware ESXi

Broadcom has issued urgent updates to address three zero-day vulnerabilities in its ESXi hypervisor, a platform integral for the deployment and operation of virtual machines. The flaws, which are actively being exploited, could enable attackers to shift from a compromised virtual machine to the hypervisor itself, posing severe risks throughout the affected environment.

According to Broadcom, these vulnerabilities allow an attacker with administrative access to a guest operating system to penetrate the hosting hypervisor and gain control over all virtual machines it manages. The company’s advisory highlights that this kind of access could let unauthorized users manipulate critical data and configurations.

The cybersecurity implications are profound. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized these vulnerabilities by adding them to its catalog of known exploited vulnerabilities, urging organizations to act promptly.

Researchers emphasize that the risk associated with these vulnerabilities must not be underestimated. Security experts note that the ability to exploit these flaws could lead to remote code execution, facilitating an extensive compromise of systems and data. Kevin Beaumont, a cybersecurity specialist, stressed that from an exploited ESXi access point, attackers could navigate effortlessly across the entire server environment.

The specific vulnerabilities include CVE-2025-22224, a time-of-check vulnerability; CVE-2025-22225, which allows arbitrary writes leading to sandbox escapes; and CVE-2025-22226, which facilitates information disclosure given sufficient privileges. Each vulnerability has been assigned a severity score using the Common Vulnerability Scoring System (CVSS), reflecting their potential impact.

Experts from Rapid7 have cautioned against complacency, advising organizations to implement the necessary patches without delay. They highlight that currently, no public exploit code exists for these vulnerabilities, which presents a temporary window of opportunity for patching.

To address these vulnerabilities, Broadcom recommends installing the latest updates and restarting the ESXi service. While organizations with existing vMotion configurations can transition virtual machines to other hosts during the patching process, those lacking this capability will need to power down their systems for updates.

Security analysts encourage affected organizations not only to maintain their systems but also to investigate potential compromises. Given that the vulnerabilities could enable far-reaching access within an organization’s network, they must assess whether attackers have already exploited these flaws. The risks associated with hypervisor escapes underscore the critical need for robust cybersecurity frameworks, such as the MITRE ATT&CK Matrix, which highlights the importance of strategies for initial access, privilege escalation, and active defense mechanisms against potential intrusions.