Steven Lafortune
On March 4, Broadcom issued an emergency security alert urging some VMware customers to immediately install an update. The warning comes after a trio of critical zero-day bugs were found in multiple products and are being actively exploited. Details of the vulnerabilities, affected products/versions, and fixes are provided below.
About the vulnerabilities
The vulnerabilities, which have been collectively dubbed “ESXicape,” were discovered by researchers at the MSTIC, who then reported them to Broadcom. Here is how attackers could exploit these bugs in the real world:
- Initial Access: Attackers may gain access to a low-privilege virtual machine via stolen credentials, phishing, or weak authentication policies.
- Privilege Escalation & VM Escape: Exploiting vulnerabilities (particularly CVE-2025-22224 as described below) allows the attacker to break out of the VM and access the underlying hypervisor.
- Lateral Movement: Once inside, the attacker can pivot to other virtual machines running on the same host and exfiltrate sensitive data.
- Persistence: The attacker could deploy backdoors or malware to maintain long-term control over the infrastructure.
Identifiers
The vulnerabilities are being tracked under the following identifiers:
| Identifier | Products Affected | Threat | CVSS |
|---|---|---|---|
| CVE-2025-22224 | VMware ESXi, VMware Workstation | Contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability that leads to an out-of-bounds write. | Critical severity range with a maximum CVSSv3 base score of 9.3 |
| CVE-2025-22225 | VMware ESXi | Contains an arbitrary write vulnerability. | Important severity range with a maximum CVSSv3 base score of 8.2 |
| CVE-2025-22226 | VMware ESXi, VMware Workstation, VMware Fusion | Contains an information disclosure vulnerability due to an out-of-bounds read in Host Guest File System (HGFS). | Important severity range with a maximum CVSSv3 base score of 7.1 |
Versions
Broadcom has confirmed that the following product versions running on any machine are vulnerable:
- VMware ESXi versions: 8.0; 7.0.
- VMware Workstation versions: 17.x
- VMware Fusion: 13.x
- VMware Cloud Foundation: 5.x; 4.5x
- VMware Telco Cloud Platform: 5.x; 4.x; 3.x; 2.x
- VMware Telco Cloud Infrastructure: 3.x; 2.x
Active attacks
According to a report, the vulnerabilities are actively being exploited by an a yet-unnamed ransomware group. Broadcom has also acknowledged that it has “information to suggest that exploitation of these issues has occurred in the wild.” However, to date the company has not disclosed details on the nature of the attacks, or the identity of the threat actors.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the three zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, and ordered all federal civilian agencies to apply the patch by March 25, 2025.
Fixes
Broadcom has stated that no workarounds are available. Therefore, affected customers are advised to immediately download and install patched versions from the company’s website. Additional documentation, including FAQs and references, are also provided.
Insights & advice from Devolutions’ Information Security Manager Patrick Pilotte
In a perfect world, zero-days wouldn’t exist. Unfortunately, that expectation isn’t realistic. For this reason, we believe that all vendors — including those who already engage in rigorous testing and red teaming —should run a Bug Bounty program. At Devolutions, our program encourages and incentivizes researchers to try and “attack and break” our products, so that we can proactively identify and fix vulnerabilities.
In addition, Devolutions’ security solutions can help organizations reduce the risk and impact of zero-day vulnerabilities:
- Devolutions Server - Enhanced Privileged Access Management (PAM)
◦ Restricts administrative privileges to only authorized users, reducing the attack surface. ◦ Monitors and audits privileged user activity in real time, helping organizations quickly detect and respond to unauthorized or suspicious behavior. ◦ Mitigate risks to CVEs (including those related to the VMware products) by protecting the admin account in the PAM.
- Devolutions Hub - Secure Credential Management
◦ Prevents unauthorized access by enforcing centralized, encrypted credential storage. ◦ Enhances security with automatic password rotation, reducing the risks associated with compromised credentials.
- Devolutions Gateway - Secure Remote Access
◦ Provides a zero-trust approach to remote access, preventing lateral movement in case of a compromised VM. ◦ Session isolation ensures that even if a virtual machine is breached, attackers cannot easily pivot to other internal systems. ◦ Mitigates risks when installed on the vCenter Server (if hosted on Windows) to control access to vCenter.
The final word
VMware enjoys a dominant position in the virtualization market. Unfortunately, this popularity also makes it a prime target for bad actors in search of a master key to infiltrate numerous accounts and machines. An estimated 85,000 companies worldwide, including many small and mid-sized businesses, use VMware as a virtualization tool.
Organizations should not take a passive approach and wait for the next emergency security bulletin from Broadcom — which, for them, may arrive too late. Instead, they should be proactive and implement solutions that reduce the risk of unauthorized access, and at the same time strengthen overall credential management. It is a smart and strategic investment in their security profile, and given the potentially catastrophic costs of a breach, it could be a crucial factor in their long-term survival.
Patrick Pilotte
