Contents
Attackers are hitting VMware hard again. Specifically, three zero-day vulnerabilities – CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 – are actively exploited as of March 13, 2025. Consequently, Broadcom dropped patches on March 4, 2025, via VMSA-2025-0004. However, over 37,000 ESXi servers remain exposed. So, let’s break this down technically, explore the fixes, and get you patched up fast.
What’s Happening with These Bugs?
First, CVE-2025-22224 is a beast. This heap overflow flaw in the Virtual Machine Communication Interface (VMCI) scores a CVSS of 9.3. Because it’s a Time-of-Check Time-of-Use (TOCTOU) vulnerability, attackers with VM admin rights can exploit it. Next, they execute code on the VMX process. Ultimately, this risks a full VM escape to the hypervisor
Then, there’s CVE-2025-22225. Exclusive to ESXi, this arbitrary file write bug scores 8.2. After compromising the VMX process, attackers can write to kernel memory. Thus, they escalate to hypervisor control. Finally, CVE-2025-22226, with a CVSS of 7.1, leaks memory via an out-of-bounds read in the Host Guest File System (HGFS). Although less severe, it fuels the exploit chain.
Together, these flaws are a sandbox escape nightmare. Indeed, Microsoft flagged active attacks, and Shadowserver counts 37,000+ vulnerable ESXi instances. Clearly, patching is urgent.
Why Are So Many Still Vulnerable?
Despite patches landing nine days ago, thousands lag behind. For instance, China, France, and the U.S. top the unpatched list. Perhaps it’s Broadcom’s support portal woes—some admins report download errors. Alternatively, legacy systems or slow IT processes could be culprits. Regardless, X chatter shows frustration. And with CISA setting a March 25, 2025, deadline for federal agencies, the clock’s ticking.
Let’s get technical. Initially, CVE-2025-22224 triggers via a race condition in VMCI. Because it’s a heap overflow, attackers overwrite memory in the VMX process. Then, CVE-2025-22225 steps in. By writing to kernel memory, it breaks the sandbox. Meanwhile, CVE-2025-22226 leaks data like pointers or keys from HGFS. Combined, they’re a lethal trio—VM escape, hypervisor takeover, and data exposure.
Notably, no public PoCs exist yet. However, active exploitation means attackers already have working code. So, don’t wait for details—patch now.
Which Versions Are Affected and Fixed?
Now, let’s talk versions. For ESXi, affected releases include 8.0 before Update 3d, 7.0 before Update 3s, and 6.7 (unsupported since 2022). Similarly, Workstation pre-17.5.2 and Fusion pre-13.5.2 are hit. Fortunately, Broadcom patched them all.
Here’s the fix list from March 4, 2025:
- ESXi 8.0: Upgrade to 8.0 Update 3d (Build 23307199).
- ESXi 7.0: Move to 7.0 Update 3s (Build 23307198).
- Workstation: Update to 17.5.2.
- Fusion: Get 13.5.2.
Before patching, check your build. For example, ESXi 8.0 U2a (Build 22380479) is vulnerable. After confirming, grab updates from Broadcom’s portal—or wrestle its in-product updater if the site’s down.
How Do I Patch This Mess?
Ready to fix it? First, log into the Broadcom Support Portal. Then, search VMSA-2025-0004 for your product. Next, download the patch—ESXi folks, grab the offline bundle (e.g., ESXi800-202503001.zip). Alternatively, use the in-product update if the portal fails.
For ESXi, here’s the CLI method, but refer to product documentation & your own business procedures before blindly following these commands:
- Put the host in maintenance mode: esxcli system maintenanceMode set -e true
- Upload the patch to a datastore. We’re calling it patch.zip here
- Run: esxcli software vib update -d /vmfs/volumes/datastore/patch.zip
- Reboot: reboot
- Exit maintenance: esxcli system maintenanceMode set -e false
Afterward, verify the build with vmware -vl. If it matches (e.g., 23307199 for 8.0 U3d), you’re golden. Otherwise, recheck your steps.
For Workstation or Fusion, it’s simpler. Just download the installer, run it, and restart. Either way, no workarounds exist—patching is your only shield.
What If I’m Running Old Versions?
Still on ESXi 6.7? Bad news—it’s end-of-life since October 2022. Although CVE-2025-22226 hits it, no patch is coming. Instead, upgrade to 7.0 U3s or 8.0 U3d. Yes, it’s a lift, but staying exposed isn’t an option.
Final Thoughts: Act Fast
These zero-days are live, lethal, and fixable. So, grab those patches—March 4, 2025, builds are your lifeline. Because attackers won’t wait, neither should you. Check your versions, hit your upgrade documentation and secure your infrastructure. Otherwise, 37,000 unpatched peers might soon have company.
