Broadcom Issues Critical Security Updates for VMware Products
Broadcom has announced the release of vital security updates addressing three critical vulnerabilities in VMware’s ESXi, Workstation, and Fusion products. These flaws, currently being exploited in the wild, pose significant risks, including potential code execution and information disclosure. Business owners and IT administrators are urged to act swiftly to protect their environments.
The vulnerabilities introduced by these updates include CVE-2025-22224, which has a CVSS score of 9.3, representing a severe Time-of-Check Time-of-Use (TOCTOU) vulnerability. This flaw allows an attacker with local administrative privileges on a virtual machine to execute code via an out-of-bounds write. Additionally, CVE-2025-22225 has a CVSS score of 8.2 and involves an arbitrary write vulnerability that could enable a privileged user within the VMX process to escape the sandbox. Lastly, CVE-2025-22226, with a CVSS score of 7.1, involves an information disclosure vulnerability arising from an out-of-bounds read in HGFS, allowing a privileged attacker to leak memory from the VMX process.
The affected versions of the VMware products span across multiple platforms, including ESXi 8.0, 7.0, as well as Workstation and Fusion 17.x and 13.x, respectively. VMware Cloud Foundation and Telco Cloud Platform versions are also affected, necessitating prompt application of the relevant patches. Organizations utilizing these platforms should prioritize updating to the latest versions to mitigate the risks associated with these exploits.
Broadcom has acknowledged that these vulnerabilities have been exploited in various active attacks, although they have not provided specific details on the nature of the threats or the identity of the threat actors involved. This revelation underscores the critical need for cybersecurity vigilance among businesses utilizing VMware solutions. The Microsoft Threat Intelligence Center is credited with identifying these vulnerabilities, further emphasizing the collaborative efforts within the cybersecurity community to safeguard users.
In a related development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included these vulnerabilities in its Known Exploited Vulnerabilities catalog. This action mandates that federal civilian agencies finalize patches by March 25, 2025, indicating the severity and urgency of the threat landscape. CISA’s move highlights the importance of maintaining up-to-date protective measures, especially for organizations handling sensitive data.
From a security perspective, the potential tactics and techniques relevant to these vulnerabilities fall under the MITRE ATT&CK framework. Associated tactics such as initial access and privilege escalation are particularly pertinent, as attackers may leverage already compromised guest operating systems to gain footholds in hypervisors. This scenario illustrates how critical it is for enterprises to reinforce their defenses against such intrusions.
For businesses, these ongoing security issues serve as a stark reminder of the ever-evolving nature of cyber threats. Acting decisively to apply patches and remain informed about vulnerabilities is essential in defending against potential exploits. As the cybersecurity landscape continues to grow increasingly complex, maintaining robust security protocols has never been more crucial for organizations striving to safeguard their digital assets.
Business owners are advised to stay informed about the risks associated with the technologies they deploy, continually reviewing vulnerability notifications and threat intelligence to enhance their cybersecurity posture.
